Hi Christopher, Many thanks for the link to the JIRA ticket - I'll follow that, and provide any updates I can.
Jon On Fri, Mar 15, 2019 at 3:20 PM Christopher Shannon < [email protected]> wrote: > This is being tracked already here: > https://issues.apache.org/jira/browse/AMQ-7103 > > Some dependencies were updated for 5.15.9 which is under vote now but as > you found some other ones cause failures and need to be looked at. > > See: > > http://activemq.2283324.n4.nabble.com/VOTE-Apache-ActiveMQ-5-15-9-tp4749473.html > > On Fri, Mar 15, 2019 at 10:13 AM Jonathan Gallimore < > [email protected]> wrote: > > > Hi > > > > I've been looking at some of the dependencies ActiveMQ uses and > attempting > > to update the versions, as a few have CVEs listed against them. I > > appreciate that doesn't necessarily mean ActiveMQ is vulnerable to those > > issues filed against those dependencies, but guess its good to look at > > these and keep them up to date. > > > > I've specifically attempted to update: > > > > jackson-databind -> 2.9.8 > > spring -> 4.3.22.RELEASE > > shiro -> 1.4.0 > > zookeeper -> 3.4.13 > > guava -> 27.0.1 > > jetty -> 9.4.15.v20190215 > > > > I'm currently working through a few test failures, particularly in > > activemq-http which look like they relate to the jetty update, and > checking > > host names on the certificates. Changing the host from 127.0.0.1 to > > localhost in the URL on the client side helps for most tests, although > > there are some failures around using client certificates that I'm working > > through. I'll send a PR when get the tests passing. > > > > If there are any tips or feedback anyone has around any of this I would > be > > grateful - particularly if anyone can see any issue with updating these > or > > if you think I'm barking up the wrong tree. > > > > Many thanks > > > > Jon > > >
