> It's probably time to start removing Spring entirely as a dependency as it doesn't provide any value really and just a ton of issues with security issues etc.
This is one of the main reasons Artemis eschewed Spring completely in this regard. Using it for anything other than basic integration tests is asking for a head-ache, although I can totally understand why it was adopted for this use 14 years ago now. The apparent convenience is attractive. Justin On Tue, Nov 26, 2024 at 11:14 AM Christopher Shannon < christopher.l.shan...@gmail.com> wrote: > As a side note, I understand that Spring has discontinued support for 5.3.x > but it's pretty unfortunate they won't even backport CVE fixes (like Jetty > does for 9.4.x) > > I guess we need to start providing a warning for users that are going to > use 5.18.x that the version of Spring isn't maintained anymore. Spring is > at least optional and is needed for the Xml config, but I don't think it is > needed for anything else but I'd need to double check. It's possible the > dependencies are being transitively included elsewhere though. > > It's probably time to start removing Spring entirely as a dependency as it > doesn't provide any value really and just a ton of issues with security > issues etc. Unfortunately that means we need to figure out something else > to use for the XML config I guess. > > On Tue, Nov 26, 2024 at 12:01 PM Matthew Gay > <matthew....@broadcom.com.invalid> wrote: > > > Thanks. Chris is right. Looks like they are commercial releases only. > > > > Sorry for the confusion and fire drill. Appreciate the responses. > > > > > > Matthew Gay > > > > Principal Support Engineer | Agile Operations Division > > > > Broadcom > > > > matthew....@broadcom.com > > > > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > > <https://www.linkedin.com/company/broadcomsoftware> > > > > > > *To help expedite routing to the correct SME, please follow these > **SUGGESTIONS > > <https://knowledge.broadcom.com/external/article?articleId=275717> when > > opening a DX NetOps case* > > > > > > On Tue, Nov 26, 2024 at 11:58 AM Christopher Shannon < > > christopher.l.shan...@gmail.com> wrote: > > > >> That version is probably a commercial release. This blog post talks > about > >> version 5.3.42 as commercial > >> > >> > https://spring.io/blog/2024/11/15/spring-framework-cve-2024-38828-published > >> > >> So obviously we won't be upgrading to anything beyond 5.3.39 as that is > >> the > >> last open source release. > >> > >> On Tue, Nov 26, 2024 at 11:50 AM Justin Bertram <jbert...@apache.org> > >> wrote: > >> > >> > > ...5.3.41 resolves those vulnerabilities. > >> > > >> > There is no release for Spring 5.3.41. It is not tagged in their repo > >> [1] > >> > and it is not in Maven [2]. > >> > > >> > > What version of AMQ will be updating Spring to that version? > >> > > >> > That remains to be seen since Spring 5.3.41 isn't yet released. > >> > Furthermore, 5.3.40 is also not yet released. > >> > > >> > > Shouldn't AMQ include the latest Spring? > >> > > >> > Based on the evidence Spring 5.3.39 _is_ the latest release. > >> > > >> > What has given you the impression that Spring 5.3.41 is available? > >> > > >> > > >> > Justin > >> > > >> > [1] https://github.com/spring-projects/spring-framework/tags > >> > [2] https://repo1.maven.org/maven2/org/springframework/spring-core/ > >> > > >> > On Tue, Nov 26, 2024 at 10:20 AM Matthew Gay > >> > <matthew....@broadcom.com.invalid> wrote: > >> > > >> > > Sorry, I got my versions mixed up. > >> > > > >> > > Spring 5.3.39 is currently shipped with AMQ and is vulnerable. > >> > > 5.3.41 resolves those vulnerabilities. > >> > > > >> > > What version of AMQ will be updating Spring to that version? > >> > > I see on your link provided (thank you) that it is still 5.3.39 > with a > >> > > release date of late December. > >> > > > >> > > Shouldn't AMQ include the latest Spring? > >> > > > >> > > > >> > > Matthew Gay > >> > > > >> > > Principal Support Engineer | Agile Operations Division > >> > > > >> > > Broadcom > >> > > > >> > > matthew....@broadcom.com > >> > > > >> > > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> > > <https://www.linkedin.com/company/broadcomsoftware> > >> > > > >> > > > >> > > *To help expedite routing to the correct SME, please follow these > >> > **SUGGESTIONS > >> > > <https://knowledge.broadcom.com/external/article?articleId=275717> > >> when > >> > > opening a DX NetOps case* > >> > > > >> > > > >> > > On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré < > >> j...@nanthrax.net> > >> > > wrote: > >> > > > >> > >> Hi Matt > >> > >> > >> > >> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( > >> > >> https://repo1.maven.org/maven2/org/springframework/spring-core/). > >> > >> > >> > >> ActiveMQ 5.18.x is using Spring 5.3.39. > >> > >> > >> > >> You can find Spring versions used on the table here: > >> > >> https://activemq.apache.org/components/classic/download/ (in the > >> > >> schedule & > >> > >> status section). > >> > >> > >> > >> Regards > >> > >> JB > >> > >> > >> > >> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay > >> > >> <matthew....@broadcom.com.invalid> wrote: > >> > >> > >> > >> > Hi Team, > >> > >> > > >> > >> > Is there any timeline or versioning available for when AMQ will > >> update > >> > >> to > >> > >> > Spring 5.18.41? > >> > >> > > >> > >> > Thanks! > >> > >> > Matt > >> > >> > > >> > >> > > >> > >> > Matthew Gay > >> > >> > > >> > >> > Principal Support Engineer | Agile Operations Division > >> > >> > > >> > >> > Broadcom > >> > >> > > >> > >> > matthew....@broadcom.com > >> > >> > > >> > >> > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> > >> > <https://www.linkedin.com/company/broadcomsoftware> > >> > >> > > >> > >> > > >> > >> > *To help expedite routing to the correct SME, please follow these > >> > >> **SUGGESTIONS > >> > >> > < > https://knowledge.broadcom.com/external/article?articleId=275717> > >> > when > >> > >> > opening a DX NetOps case* > >> > >> > > >> > >> > This electronic communication and the information and any files > >> > >> > transmitted with it, or attached to it, are confidential and are > >> > >> intended > >> > >> > solely for the use of the individual or entity to whom it is > >> addressed > >> > >> and > >> > >> > may contain information that is confidential, legally privileged, > >> > >> protected > >> > >> > by privacy laws, or otherwise restricted from disclosure to > anyone > >> > >> else. If > >> > >> > you are not the intended recipient or the person responsible for > >> > >> delivering > >> > >> > the e-mail to the intended recipient, you are hereby notified > that > >> any > >> > >> use, > >> > >> > copying, distributing, dissemination, forwarding, printing, or > >> copying > >> > >> of > >> > >> > this e-mail is strictly prohibited. If you received this e-mail > in > >> > >> error, > >> > >> > please return the e-mail to the sender, delete it from your > >> computer, > >> > >> and > >> > >> > destroy any printed copy of it. > >> > >> > >> > > > >> > > This electronic communication and the information and any files > >> > > transmitted with it, or attached to it, are confidential and are > >> intended > >> > > solely for the use of the individual or entity to whom it is > addressed > >> > and > >> > > may contain information that is confidential, legally privileged, > >> > protected > >> > > by privacy laws, or otherwise restricted from disclosure to anyone > >> else. > >> > If > >> > > you are not the intended recipient or the person responsible for > >> > delivering > >> > > the e-mail to the intended recipient, you are hereby notified that > any > >> > use, > >> > > copying, distributing, dissemination, forwarding, printing, or > >> copying of > >> > > this e-mail is strictly prohibited. If you received this e-mail in > >> error, > >> > > please return the e-mail to the sender, delete it from your > computer, > >> and > >> > > destroy any printed copy of it. > >> > > >> > > > > This electronic communication and the information and any files > > transmitted with it, or attached to it, are confidential and are intended > > solely for the use of the individual or entity to whom it is addressed > and > > may contain information that is confidential, legally privileged, > protected > > by privacy laws, or otherwise restricted from disclosure to anyone else. > If > > you are not the intended recipient or the person responsible for > delivering > > the e-mail to the intended recipient, you are hereby notified that any > use, > > copying, distributing, dissemination, forwarding, printing, or copying of > > this e-mail is strictly prohibited. If you received this e-mail in error, > > please return the e-mail to the sender, delete it from your computer, and > > destroy any printed copy of it. >
