jbonofre opened a new pull request, #2031:
URL: https://github.com/apache/activemq/pull/2031
## Summary
Dependency bumps in `pom.xml` to address known CVEs on `activemq-5.19.x`:
- **netty** `4.1.94.Final` → `4.1.133.Final`
- CVE-2024-29025 (codec-http multipart decoder DoS)
- SslHandler native crash, fixed in 4.1.118.Final
- CVE-2025-58057 (BrotliDecoder / decompression DoS), fixed in
4.1.125.Final
- **snappy** `1.1.2` → `1.1.10.8`
- CVE-2023-34453, CVE-2023-34454, CVE-2023-34455 (integer overflow /
unchecked chunk length DoS)
- CVE-2023-43642 (missing upper-bound check on chunk length)
- **karaf** `4.3.7` → `4.3.10`
- CVE-2022-40145 (JNDI LDAP RCE via JDBC config)
Not bumped here (require separate evaluation):
- `zookeeper 3.4.14` — line is EOL; jumping to 3.9.x is a breaking-change
risk for replicated leveldb paths
- `spring 5.3.39` — 5.3.x OSS EOL; April 2026 CVEs
(CVE-2026-22740/22741/22745) have no OSS patch in Maven Central
- `jetty 9.4.58.v20250814` — already the latest 9.4.x published to Maven
Central
## Test plan
- [ ] `mvn -P owasp dependency-check:aggregate` shows the addressed CVEs
cleared
- [ ] Full build: `mvn clean install -DskipTests`
- [ ] Unit tests: `mvn test`
- [ ] AMQP module tests (netty consumer): `mvn -pl activemq-amqp test`
- [ ] Karaf integration tests: `mvn -pl activemq-karaf-itest verify`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
