Hi I've been looking at some of the dependencies ActiveMQ uses and attempting to update the versions, as a few have CVEs listed against them. I appreciate that doesn't necessarily mean ActiveMQ is vulnerable to those issues filed against those dependencies, but guess its good to look at these and keep them up to date.
I've specifically attempted to update: jackson-databind -> 2.9.8 spring -> 4.3.22.RELEASE shiro -> 1.4.0 zookeeper -> 3.4.13 guava -> 27.0.1 jetty -> 9.4.15.v20190215 I'm currently working through a few test failures, particularly in activemq-http which look like they relate to the jetty update, and checking host names on the certificates. Changing the host from 127.0.0.1 to localhost in the URL on the client side helps for most tests, although there are some failures around using client certificates that I'm working through. I'll send a PR when get the tests passing. If there are any tips or feedback anyone has around any of this I would be grateful - particularly if anyone can see any issue with updating these or if you think I'm barking up the wrong tree. Many thanks Jon
