Matt, the CVE you are referring to is this one https://spring.io/security/cve-2024-38816 ?
Thanks, Ken On Wed, Nov 27, 2024 at 7:51 AM Matt Pavlovich <mattr...@gmail.com> wrote: > Matthew- > > The workaround for the Spring MVC CVE is to disable the web console by > removing the jetty.xml import from the activemq.xml. > > We have been discussing removing Spring as a required dependency for > ActiveMQ and I expect this situation to expedite those efforts. > > On a seemingly ironic or perhaps Shakespearian comical related note— I > would request that you bubble up the request to the management at Broadcom. > Broadcom purchased VMWare (which I believe still owns SpringSource and the > Spring dev team), so Broadcom management is fully in a position to solve > this pain point impacting Broadcom by simply approving an open source > release with the CVE fix. > > Thanks, > Matt Pavlovich > > > On Nov 26, 2024, at 11:50 AM, Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > > Hi, > > > > Spring doesn't provide new versions on 5.3.x outside of enterprise > support. > > > > You can see that 5.3.41 is not available on Maven Central (it's only on > > private Spring repo). > > > > So, I strongly encourage to upgrade to new ActiveMQ version that use new > > Spring version. > > > > Regards > > JB > > > > > > On Tue, Nov 26, 2024 at 5:12 PM Matthew Gay > > <matthew....@broadcom.com.invalid> wrote: > > > >> Sorry, I got my versions mixed up. > >> > >> Spring 5.3.39 is currently shipped with AMQ and is vulnerable. > >> 5.3.41 resolves those vulnerabilities. > >> > >> What version of AMQ will be updating Spring to that version? > >> I see on your link provided (thank you) that it is still 5.3.39 with a > >> release date of late December. > >> > >> Shouldn't AMQ include the latest Spring? > >> > >> > >> Matthew Gay > >> > >> Principal Support Engineer | Agile Operations Division > >> > >> Broadcom > >> > >> matthew....@broadcom.com > >> > >> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> <https://www.linkedin.com/company/broadcomsoftware> > >> > >> > >> *To help expedite routing to the correct SME, please follow these > **SUGGESTIONS > >> <https://knowledge.broadcom.com/external/article?articleId=275717> when > >> opening a DX NetOps case* > >> > >> > >> On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré <j...@nanthrax.net> > >> wrote: > >> > >>> Hi Matt > >>> > >>> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( > >>> https://repo1.maven.org/maven2/org/springframework/spring-core/). > >>> > >>> ActiveMQ 5.18.x is using Spring 5.3.39. > >>> > >>> You can find Spring versions used on the table here: > >>> https://activemq.apache.org/components/classic/download/ (in the > >>> schedule & > >>> status section). > >>> > >>> Regards > >>> JB > >>> > >>> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay > >>> <matthew....@broadcom.com.invalid> wrote: > >>> > >>>> Hi Team, > >>>> > >>>> Is there any timeline or versioning available for when AMQ will update > >>> to > >>>> Spring 5.18.41? > >>>> > >>>> Thanks! > >>>> Matt > >>>> > >>>> > >>>> Matthew Gay > >>>> > >>>> Principal Support Engineer | Agile Operations Division > >>>> > >>>> Broadcom > >>>> > >>>> matthew....@broadcom.com > >>>> > >>>> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >>>> <https://www.linkedin.com/company/broadcomsoftware> > >>>> > >>>> > >>>> *To help expedite routing to the correct SME, please follow these > >>> **SUGGESTIONS > >>>> <https://knowledge.broadcom.com/external/article?articleId=275717> > when > >>>> opening a DX NetOps case* > >>>> > >>>> This electronic communication and the information and any files > >>>> transmitted with it, or attached to it, are confidential and are > >>> intended > >>>> solely for the use of the individual or entity to whom it is addressed > >>> and > >>>> may contain information that is confidential, legally privileged, > >>> protected > >>>> by privacy laws, or otherwise restricted from disclosure to anyone > >>> else. If > >>>> you are not the intended recipient or the person responsible for > >>> delivering > >>>> the e-mail to the intended recipient, you are hereby notified that any > >>> use, > >>>> copying, distributing, dissemination, forwarding, printing, or copying > >>> of > >>>> this e-mail is strictly prohibited. If you received this e-mail in > >>> error, > >>>> please return the e-mail to the sender, delete it from your computer, > >>> and > >>>> destroy any printed copy of it. > >>> > >> > >> This electronic communication and the information and any files > >> transmitted with it, or attached to it, are confidential and are > intended > >> solely for the use of the individual or entity to whom it is addressed > and > >> may contain information that is confidential, legally privileged, > protected > >> by privacy laws, or otherwise restricted from disclosure to anyone > else. If > >> you are not the intended recipient or the person responsible for > delivering > >> the e-mail to the intended recipient, you are hereby notified that any > use, > >> copying, distributing, dissemination, forwarding, printing, or copying > of > >> this e-mail is strictly prohibited. If you received this e-mail in > error, > >> please return the e-mail to the sender, delete it from your computer, > and > >> destroy any printed copy of it. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > For additional commands, e-mail: dev-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > > >
