[
https://issues.apache.org/jira/browse/AMQ-9388?focusedWorklogId=890364&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-890364
]
ASF GitHub Bot logged work on AMQ-9388:
---------------------------------------
Author: ASF GitHub Bot
Created on: 13/Nov/23 22:47
Start Date: 13/Nov/23 22:47
Worklog Time Spent: 10m
Work Description: cshannon opened a new pull request, #1117:
URL: https://github.com/apache/activemq/pull/1117
The current version of camel pulls in the activemq-client-jakarta jar which
is not necessary as it no longer exists with ActiveMQ 6.0.0
Furthermore the version being pulled in is 5.18.2 which contains a critical
CVE that was fixed in 5.18.3
Issue Time Tracking
-------------------
Worklog Id: (was: 890364)
Remaining Estimate: 0h
Time Spent: 10m
> camel-activemq transitively pulls in activemq-client-jakarta
> ------------------------------------------------------------
>
> Key: AMQ-9388
> URL: https://issues.apache.org/jira/browse/AMQ-9388
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Reporter: Christopher L. Shannon
> Assignee: Christopher L. Shannon
> Priority: Blocker
> Fix For: 6.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While reviewing the 6.0.0 release I noticed that the newly added
> {{camel-activemq}} module pulls in {{activemq-client-jakarta}} as a
> transitive dependency. This makes sense since the version used is based on
> ActiveMQ 5.18.2 as 6.0.0 isn't released yet.
> We need to exclude this because with version 6.0.0 this module no longer
> exists so is not needed and secondly the 5.18.2 version has a CVE against it.
> The dependency in the current release is not included in the tar distribution
> but since it is transitively being pulled in with maven if someone has a
> dependency on the apache-activemq pom they will have the jar pulled into
> their build.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
