Hi Ken, It was this one:
https://spring.io/security/cve-2024-38819 Thanks! Matt Matthew Gay Principal Support Engineer | Agile Operations Division Broadcom matthew....@broadcom.com Twitter <https://twitter.com/BroadcomSW> | LinkedIn <https://www.linkedin.com/company/broadcomsoftware> *To help expedite routing to the correct SME, please follow these **SUGGESTIONS <https://knowledge.broadcom.com/external/article?articleId=275717> when opening a DX NetOps case* On Wed, Nov 27, 2024 at 1:12 PM Ken Liao <kenlia...@gmail.com> wrote: > Matt, the CVE you are referring to is this one > https://spring.io/security/cve-2024-38816 ? > > Thanks, > Ken > > On Wed, Nov 27, 2024 at 7:51 AM Matt Pavlovich <mattr...@gmail.com> wrote: > > > Matthew- > > > > The workaround for the Spring MVC CVE is to disable the web console by > > removing the jetty.xml import from the activemq.xml. > > > > We have been discussing removing Spring as a required dependency for > > ActiveMQ and I expect this situation to expedite those efforts. > > > > On a seemingly ironic or perhaps Shakespearian comical related note— I > > would request that you bubble up the request to the management at > Broadcom. > > Broadcom purchased VMWare (which I believe still owns SpringSource and > the > > Spring dev team), so Broadcom management is fully in a position to solve > > this pain point impacting Broadcom by simply approving an open source > > release with the CVE fix. > > > > Thanks, > > Matt Pavlovich > > > > > On Nov 26, 2024, at 11:50 AM, Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > > > > Hi, > > > > > > Spring doesn't provide new versions on 5.3.x outside of enterprise > > support. > > > > > > You can see that 5.3.41 is not available on Maven Central (it's only on > > > private Spring repo). > > > > > > So, I strongly encourage to upgrade to new ActiveMQ version that use > new > > > Spring version. > > > > > > Regards > > > JB > > > > > > > > > On Tue, Nov 26, 2024 at 5:12 PM Matthew Gay > > > <matthew....@broadcom.com.invalid> wrote: > > > > > >> Sorry, I got my versions mixed up. > > >> > > >> Spring 5.3.39 is currently shipped with AMQ and is vulnerable. > > >> 5.3.41 resolves those vulnerabilities. > > >> > > >> What version of AMQ will be updating Spring to that version? > > >> I see on your link provided (thank you) that it is still 5.3.39 with a > > >> release date of late December. > > >> > > >> Shouldn't AMQ include the latest Spring? > > >> > > >> > > >> Matthew Gay > > >> > > >> Principal Support Engineer | Agile Operations Division > > >> > > >> Broadcom > > >> > > >> matthew....@broadcom.com > > >> > > >> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > > >> <https://www.linkedin.com/company/broadcomsoftware> > > >> > > >> > > >> *To help expedite routing to the correct SME, please follow these > > **SUGGESTIONS > > >> <https://knowledge.broadcom.com/external/article?articleId=275717> > when > > >> opening a DX NetOps case* > > >> > > >> > > >> On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré < > j...@nanthrax.net> > > >> wrote: > > >> > > >>> Hi Matt > > >>> > > >>> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( > > >>> https://repo1.maven.org/maven2/org/springframework/spring-core/). > > >>> > > >>> ActiveMQ 5.18.x is using Spring 5.3.39. > > >>> > > >>> You can find Spring versions used on the table here: > > >>> https://activemq.apache.org/components/classic/download/ (in the > > >>> schedule & > > >>> status section). > > >>> > > >>> Regards > > >>> JB > > >>> > > >>> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay > > >>> <matthew....@broadcom.com.invalid> wrote: > > >>> > > >>>> Hi Team, > > >>>> > > >>>> Is there any timeline or versioning available for when AMQ will > update > > >>> to > > >>>> Spring 5.18.41? > > >>>> > > >>>> Thanks! > > >>>> Matt > > >>>> > > >>>> > > >>>> Matthew Gay > > >>>> > > >>>> Principal Support Engineer | Agile Operations Division > > >>>> > > >>>> Broadcom > > >>>> > > >>>> matthew....@broadcom.com > > >>>> > > >>>> Twitter <https://twitter.com/BroadcomSW> | LinkedIn > > >>>> <https://www.linkedin.com/company/broadcomsoftware> > > >>>> > > >>>> > > >>>> *To help expedite routing to the correct SME, please follow these > > >>> **SUGGESTIONS > > >>>> <https://knowledge.broadcom.com/external/article?articleId=275717> > > when > > >>>> opening a DX NetOps case* > > >>>> > > >>>> This electronic communication and the information and any files > > >>>> transmitted with it, or attached to it, are confidential and are > > >>> intended > > >>>> solely for the use of the individual or entity to whom it is > addressed > > >>> and > > >>>> may contain information that is confidential, legally privileged, > > >>> protected > > >>>> by privacy laws, or otherwise restricted from disclosure to anyone > > >>> else. If > > >>>> you are not the intended recipient or the person responsible for > > >>> delivering > > >>>> the e-mail to the intended recipient, you are hereby notified that > any > > >>> use, > > >>>> copying, distributing, dissemination, forwarding, printing, or > copying > > >>> of > > >>>> this e-mail is strictly prohibited. If you received this e-mail in > > >>> error, > > >>>> please return the e-mail to the sender, delete it from your > computer, > > >>> and > > >>>> destroy any printed copy of it. > > >>> > > >> > > >> This electronic communication and the information and any files > > >> transmitted with it, or attached to it, are confidential and are > > intended > > >> solely for the use of the individual or entity to whom it is addressed > > and > > >> may contain information that is confidential, legally privileged, > > protected > > >> by privacy laws, or otherwise restricted from disclosure to anyone > > else. If > > >> you are not the intended recipient or the person responsible for > > delivering > > >> the e-mail to the intended recipient, you are hereby notified that any > > use, > > >> copying, distributing, dissemination, forwarding, printing, or copying > > of > > >> this e-mail is strictly prohibited. If you received this e-mail in > > error, > > >> please return the e-mail to the sender, delete it from your computer, > > and > > >> destroy any printed copy of it. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > > For additional commands, e-mail: dev-h...@activemq.apache.org > > For further information, visit: https://activemq.apache.org/contact > > > > > > > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
smime.p7s
Description: S/MIME Cryptographic Signature
