jbonofre opened a new pull request, #2030:
URL: https://github.com/apache/activemq/pull/2030
## Summary
Bumps four dependency properties in the parent `pom.xml` to pick up
published CVE fixes / patch releases for the 6.2.x line:
| Dependency | From | To | Notes |
|---|---|---|---|
| `camel-version` | 4.14.4 | 4.14.7 | CVE-2026-47323 (CXF/Knative header
injection -> RCE), CVE-2026-27172 (ConsulRegistry deserialization),
CVE-2026-28367 (request smuggling). Latest 4.14.x LTS patch. |
| `jolokia-version` | 2.5.0 | 2.6.0 | Routine patch bump. |
| `snappy-version` | 1.1.2 | 1.1.10.7 | CVE-2023-34455, CVE-2023-43642 (DoS
via unchecked chunk length). Property is currently dead (no `${snappy-version}`
reference) but kept for hygiene. |
| `spring-version` | 6.2.16 | 6.2.18 | Pulls March/April 2026 Spring
Framework fixes. |
Jetty was evaluated but `11.0.26` is already the latest 11.0.x on Maven
Central, so no bump.
## Test plan
- [x] `mvn validate` clean across the full reactor
- [ ] CI green
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
