Hi guys We are finally almost ready for 5.17.1 release. Only two Jira with PRs are under review. I will work on these ones today.
I plan to submit 5.17.1 to vote tomorrow. Thanks Regards JB Le lun. 11 avr. 2022 à 07:50, Jean-Baptiste Onofré <j...@nanthrax.net> a écrit : > Hi guys, > > Quick update about ActiveMQ 5.17.1 release. > > We have the last update PRs to merge and a couple of fixes to do. I'm > working on it this week. I will submit 5.17.1 to vote by the end of > the week. > > Regards > JB > > On Sat, Apr 2, 2022 at 6:11 AM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > > Hi Bruce; > > > > Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use > > Spring (only broker does). > > > > Regards > > JB > > > > On Fri, Apr 1, 2022 at 11:41 PM W B D <w...@users.sourceforge.net> wrote: > > > > > > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE > 11+ (or > > > >1.8 in any case) at runtime, even if only using the client JAR > (without > > > the additional dependencies required to support embedded brokers using > the > > > vm and peer transports, for example). > > > > > > And second, please confirm, I don't need to worry about these Spring > > > related vulnerabilities if using only the client JAR e.g. for tcp or > > > failover connections, with no embedded brokers. > > > > > > If this second point is correct, then at least it shouldn't be a big > deal > > > if some of our client applications do need to reference ActiveMQ client > > > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+. > > > > > > Thanks, > > > Bruce D > > > > > > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattr...@gmail.com> > wrote: > > > > > > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x > and > > > > some 5.16.x would not be impacted. > > > > > > > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> > wrote: > > > > > > > > > > @JB — Agreed, so far there is no published exploit that would > impact > > > > ActiveMQ. > > > > > > > > > > Here is the lates I was able to find from Spring regarding > backports > > > > (sounds like no 4.x patch is coming): > > > > > > > > > > ref: > https://github.com/spring-projects/spring-framework/issues/28260 < > > > > https://github.com/spring-projects/spring-framework/issues/28260> > > > > > > > > > > Thanks, > > > > > Matt Pavlovich > > > > > > > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré < > j...@nanthrax.net > > > > <mailto:j...@nanthrax.net>> wrote: > > > > >> > > > > >> Hi, > > > > >> > > > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a > lot of > > > > >> users are still using 5.15.x/5.16.x, so, I would not be too > "strict" > > > > >> ;) > > > > >> > > > > >> In the context of ActiveMQ, the CVE is not very severe IMHO. > > > > >> > > > > >> Regards > > > > >> JB > > > > >> > > > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich < > mattr...@gmail.com > > > > <mailto:mattr...@gmail.com>> wrote: > > > > >>> > > > > >>> @JB— > > > > >>> > > > > >>> The Spring release documentation is indicating that “older > > > > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ > 5.16.x. > > > > >>> > > > > >>> If we do not get a Spring 4.x fix, we may need a corresponding > > > > announcement deprecating 5.16.x. > > > > >>> > > > > >>> Thoughts? > > > > >>> Matt Pavlovich > > > > >>> > > > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré < > j...@nanthrax.net > > > > <mailto:j...@nanthrax.net>> wrote: > > > > >>>> > > > > >>>> Hi guys, > > > > >>>> > > > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, > probably to > > > > >>>> submit it to vote during the weekend or next week. > > > > >>>> > > > > >>>> One of the main reasons is to update to Spring 5.3.18 which > includes > > > > >>>> CVE fixes ( > > > > > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > > > < > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > > > >). > > > > >>>> I also have other fixes/updates to add. > > > > >>>> > > > > >>>> Regards > > > > >>>> JB > > > > >>> > > > > > > > > > > > > > >