[
https://issues.apache.org/jira/browse/AMQ-7103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16688555#comment-16688555
]
Albert Baker commented on AMQ-7103:
-----------------------------------
will do.... grep the dependency report for CVE | grep Severity:High
google CVE-###### AND POC OR proof of concept
download it, built it, test it... gimme an hour, and me(anyone) can have a
handfull of them.
In this day-and-age its pretty silly to require prrof of exploit, when you we
can easily update the pom file to a new ver of the .jar and poof, the
vulnerability is gone.
> Dependency updates flagged by OWASP Dependency Check
> ----------------------------------------------------
>
> Key: AMQ-7103
> URL: https://issues.apache.org/jira/browse/AMQ-7103
> Project: ActiveMQ
> Issue Type: Improvement
> Affects Versions: 5.15.7
> Reporter: Christopher L. Shannon
> Priority: Major
> Fix For: 5.15.9
>
>
> Original text from Jira issue from [~ABakerIII] -
>
> Please determine if
> # The 458 vulnerabilities are true vulnerabilities or false positives
> # Are there newer versions of the vulnerable libraries available
> # Will updating the pom to use the new libraries break the build/test or not
> # If updates some do break the build/test, please update the code to work.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
