This is being tracked already here: https://issues.apache.org/jira/browse/AMQ-7103
Some dependencies were updated for 5.15.9 which is under vote now but as you found some other ones cause failures and need to be looked at. See: http://activemq.2283324.n4.nabble.com/VOTE-Apache-ActiveMQ-5-15-9-tp4749473.html On Fri, Mar 15, 2019 at 10:13 AM Jonathan Gallimore < [email protected]> wrote: > Hi > > I've been looking at some of the dependencies ActiveMQ uses and attempting > to update the versions, as a few have CVEs listed against them. I > appreciate that doesn't necessarily mean ActiveMQ is vulnerable to those > issues filed against those dependencies, but guess its good to look at > these and keep them up to date. > > I've specifically attempted to update: > > jackson-databind -> 2.9.8 > spring -> 4.3.22.RELEASE > shiro -> 1.4.0 > zookeeper -> 3.4.13 > guava -> 27.0.1 > jetty -> 9.4.15.v20190215 > > I'm currently working through a few test failures, particularly in > activemq-http which look like they relate to the jetty update, and checking > host names on the certificates. Changing the host from 127.0.0.1 to > localhost in the URL on the client side helps for most tests, although > there are some failures around using client certificates that I'm working > through. I'll send a PR when get the tests passing. > > If there are any tips or feedback anyone has around any of this I would be > grateful - particularly if anyone can see any issue with updating these or > if you think I'm barking up the wrong tree. > > Many thanks > > Jon >
