JB, here's the email announcing the CVE and indicates that it was fixed in the 5.15.6 release:
https://lists.apache.org/[email protected]:2018-9 Here is the JIRA issue: https://issues.apache.org/jira/browse/AMQ-7047 I do see that this was cherry picked into the 5.15.x branch, so you should be able to chase it down further from the info there. Bruce On Wed, Jul 3, 2019 at 10:39 PM Jean-Baptiste Onofré <[email protected]> wrote: > HI, > > I gonna take a look. If the CVE has been published, they should be fixed > already. The point is more on which branch it has been fixed. > > So, let me do a pass as I'm preparing 5.15.10. > > Regards > JB > > On 04/07/2019 06:01, venu madhav wrote: > > Hi team, > > > > I am running a dummy project to scan the vulnerabilities using owasp > > dependency-check. The project doesn't contain anything except for the > > activemq jars added as dependencies in the pom.xml. Even when we use the > > latest version of activemq-kahadb-store jar (5.15.9 version) we see some > > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally > > should be fixed in the latest release as per mentioned in the link: > > https://activemq.apache.org/components/classic/security > > > > Can you please check and tell if the issue is not fixed or NVD database > > is still showing the vulnerability even if the issue is fixed. > > > > I have attached the pom.xml and the dependency check reports for your > > reference. > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com > -- perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" );' ActiveMQ in Action: http://bit.ly/2je6cQ Blog: http://bsnyder.org/ <http://bruceblog.org/> Twitter: http://twitter.com/brucesnyder
