[
https://issues.apache.org/jira/browse/ARTEMIS-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487240#comment-17487240
]
ASF subversion and git services commented on ARTEMIS-2413:
----------------------------------------------------------
Commit 9c459eb313baaa26a1a19f0e59133215b5087a4c in activemq-artemis's branch
refs/heads/main from Justin Bertram
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=9c459eb ]
ARTEMIS-2413 upgrade JGroups
JGroups 3.x hasn't been updated in some time now. The last release was
in April 2020 almost 2 years ago. Lots of protocols have been updated
and added and users are wanting to use them. There is also increasing
concern about using older components triggered mainly by other
recently-discovered high-profile vulnerabilities in the wider Open
Source Java community.
This commit bumps JGroups up to the latest release - 5.2.0.Final.
However, there is a cost associated with upgrading.
The old-style properties configuration is no longer supported. I think
it's unlikely that end-users are leveraging this because it is not
exposed via broker.xml. The JGroups XML configuration has been around
for a long time, is widely adopted, and is still supported. I expect
most (if not all) users are using this. However, a handful of tests
needed to be updated and/or removed to deal with this absence.
Some protocols and/or protocol properties are no longer supported. This
means that users may have to change their JGroups stack configurations
when they upgrade. For example, our own clustered-jgroups example had to
be updated or it wouldn't run properly.
> Upgrade JGroups
> ---------------
>
> Key: ARTEMIS-2413
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2413
> Project: ActiveMQ Artemis
> Issue Type: Dependency upgrade
> Affects Versions: 2.6.4
> Reporter: Endre Jeges
> Assignee: Justin Bertram
> Priority: Major
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> I have noticed with the OWASP dependency-check plugin
> (org.owasp:dependency-check-maven:5.0.0) that the currently used
> org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by
> Non-Endpoint
> ('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417]
> vulnerability. The problem has not been reported in the NVD database,
> therefore there is no CVE record.
> The vulnerability has been
> [addressed|https://github.com/belaban/JGroups/pull/348] in version
> org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is
> org.jgroups:jgroups:4.1.1.Final).
> The org.jgroups:jgroups dependency would require an upgrade to resolve the
> vulnerability.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
