Matthew- The workaround for the Spring MVC CVE is to disable the web console by removing the jetty.xml import from the activemq.xml.
We have been discussing removing Spring as a required dependency for ActiveMQ and I expect this situation to expedite those efforts. On a seemingly ironic or perhaps Shakespearian comical related note— I would request that you bubble up the request to the management at Broadcom. Broadcom purchased VMWare (which I believe still owns SpringSource and the Spring dev team), so Broadcom management is fully in a position to solve this pain point impacting Broadcom by simply approving an open source release with the CVE fix. Thanks, Matt Pavlovich > On Nov 26, 2024, at 11:50 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi, > > Spring doesn't provide new versions on 5.3.x outside of enterprise support. > > You can see that 5.3.41 is not available on Maven Central (it's only on > private Spring repo). > > So, I strongly encourage to upgrade to new ActiveMQ version that use new > Spring version. > > Regards > JB > > > On Tue, Nov 26, 2024 at 5:12 PM Matthew Gay > <matthew....@broadcom.com.invalid> wrote: > >> Sorry, I got my versions mixed up. >> >> Spring 5.3.39 is currently shipped with AMQ and is vulnerable. >> 5.3.41 resolves those vulnerabilities. >> >> What version of AMQ will be updating Spring to that version? >> I see on your link provided (thank you) that it is still 5.3.39 with a >> release date of late December. >> >> Shouldn't AMQ include the latest Spring? >> >> >> Matthew Gay >> >> Principal Support Engineer | Agile Operations Division >> >> Broadcom >> >> matthew....@broadcom.com >> >> Twitter <https://twitter.com/BroadcomSW> | LinkedIn >> <https://www.linkedin.com/company/broadcomsoftware> >> >> >> *To help expedite routing to the correct SME, please follow these >> **SUGGESTIONS >> <https://knowledge.broadcom.com/external/article?articleId=275717> when >> opening a DX NetOps case* >> >> >> On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré <j...@nanthrax.net> >> wrote: >> >>> Hi Matt >>> >>> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( >>> https://repo1.maven.org/maven2/org/springframework/spring-core/). >>> >>> ActiveMQ 5.18.x is using Spring 5.3.39. >>> >>> You can find Spring versions used on the table here: >>> https://activemq.apache.org/components/classic/download/ (in the >>> schedule & >>> status section). >>> >>> Regards >>> JB >>> >>> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay >>> <matthew....@broadcom.com.invalid> wrote: >>> >>>> Hi Team, >>>> >>>> Is there any timeline or versioning available for when AMQ will update >>> to >>>> Spring 5.18.41? >>>> >>>> Thanks! >>>> Matt >>>> >>>> >>>> Matthew Gay >>>> >>>> Principal Support Engineer | Agile Operations Division >>>> >>>> Broadcom >>>> >>>> matthew....@broadcom.com >>>> >>>> Twitter <https://twitter.com/BroadcomSW> | LinkedIn >>>> <https://www.linkedin.com/company/broadcomsoftware> >>>> >>>> >>>> *To help expedite routing to the correct SME, please follow these >>> **SUGGESTIONS >>>> <https://knowledge.broadcom.com/external/article?articleId=275717> when >>>> opening a DX NetOps case* >>>> >>>> This electronic communication and the information and any files >>>> transmitted with it, or attached to it, are confidential and are >>> intended >>>> solely for the use of the individual or entity to whom it is addressed >>> and >>>> may contain information that is confidential, legally privileged, >>> protected >>>> by privacy laws, or otherwise restricted from disclosure to anyone >>> else. If >>>> you are not the intended recipient or the person responsible for >>> delivering >>>> the e-mail to the intended recipient, you are hereby notified that any >>> use, >>>> copying, distributing, dissemination, forwarding, printing, or copying >>> of >>>> this e-mail is strictly prohibited. If you received this e-mail in >>> error, >>>> please return the e-mail to the sender, delete it from your computer, >>> and >>>> destroy any printed copy of it. >>> >> >> This electronic communication and the information and any files >> transmitted with it, or attached to it, are confidential and are intended >> solely for the use of the individual or entity to whom it is addressed and >> may contain information that is confidential, legally privileged, protected >> by privacy laws, or otherwise restricted from disclosure to anyone else. If >> you are not the intended recipient or the person responsible for delivering >> the e-mail to the intended recipient, you are hereby notified that any use, >> copying, distributing, dissemination, forwarding, printing, or copying of >> this e-mail is strictly prohibited. If you received this e-mail in error, >> please return the e-mail to the sender, delete it from your computer, and >> destroy any printed copy of it. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
