Not really seeing how releasing 5.18.x makes sense a year after saying it was no longer supported with the 5.18.7 release (after 5.19.0), removing it from the download page at that time, and having not released the stream since (e.g for any of the dependency CVE fixes in that time) whilst all the other streams have had multiple releases or even been superceded and dropped themselves?
Seems especially odd given 5.18.x and 5.19.x have pretty similar supportability/requirements which is why it was dropped. I'm pretty sure I even recall seeing some initial discussion of late about when to drop 5.19.x. It will also still be marked as being affected by CVE-2025-66168 by scanners even if it contains the fix, since the version details just announced for that CVE included everything before 5.19.2. Is 5.18.x EOL or not? Robbie On Tue, 3 Mar 2026 at 21:55, Jean-Baptiste Onofré <[email protected]> wrote: > > Hi, > > I am currently reviewing the security advisories. I have also received > several inquiries from the community regarding the possibility of a new > 5.18.x release that includes only the latest CVE fixes. > > I will begin preparing that release soon. > > Regards, > JB > > On Tue, Mar 3, 2026 at 3:13 PM Casey A. Owen via users < > [email protected]> wrote: > > > Hello, > > > > Could someone please clarify why the listed CVEs are not documented in the > > Apache ActiveMQ Classic Security Advisories at > > https://activemq.apache.org/components/classic/security? > > > > Thank you for your prompt attention to this matter, > > > > > > Casey Owen | Sr Applications Analyst > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
