This is an automated email from the ASF dual-hosted git repository.
Arsnael pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 3480b6808e [UPGRADE] activemq 6.2.6 -> 6.2.7 + arttemis 2.53.0 ->
2.55.0 to fix several CVEs
3480b6808e is described below
commit 3480b6808e5fc5ed25f86a0a72c7fbe8178fd1d6
Author: Benoit TELLIER <[email protected]>
AuthorDate: Tue Jun 30 09:32:34 2026 +0200
[UPGRADE] activemq 6.2.6 -> 6.2.7 + arttemis 2.53.0 -> 2.55.0 to fix
several CVEs
- CVE-2026-54475: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache
ActiveMQ: Temporary destination ownership takeover
- CVE-2026-53917: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ
Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire
property unmarshalling
- CVE-2026-53916: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ
Stomp: Unbounded header buffer in STOMP NIO codec
- CVE-2026-52760: Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS
via Unescaped values in ActiveMQ Web Console
- CVE-2026-50750: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ
All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270
- CVE-2026-50734: Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ
All: Pre-authentication OpenWire memory-allocation DoS during wire format
negotiation
- CVE-2026-49877: Apache ActiveMQ: Authenticated web users retain admin
access by default in the Web Console
- CVE-2026-49432: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ
Stomp: STOMP negative content-length enables denial of service
- CVE-2026-49434: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ
All: LdapNetworkConnector instantiates denied transports and a
remote-properties broker
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index a8abd2fef0..e25e86fe5e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -622,7 +622,7 @@
<james.groupId>org.apache.james</james.groupId>
<james.protocols.groupId>${james.groupId}.protocols</james.protocols.groupId>
- <activemq.version>6.2.6</activemq.version>
+ <activemq.version>6.2.7</activemq.version>
<apache-mime4j.version>0.8.14</apache-mime4j.version>
<apache.openjpa.version>4.1.1</apache.openjpa.version><!-- Align with
EE10 Persistence 3.1 & Transactions 2.0: https://openjpa.apache.org/ -->
<h2.version>2.3.232</h2.version>
@@ -637,7 +637,7 @@
<jsieve.version>0.8</jsieve.version>
<spring.version>6.2.8</spring.version>
- <activmq-artemis.version>2.53.0</activmq-artemis.version>
+ <activmq-artemis.version>2.55.0</activmq-artemis.version>
<apache-jspf-resolver.version>1.0.5</apache-jspf-resolver.version>
<angus-mail.version>2.0.3</angus-mail.version><!-- Align with EE10
Mail 2.1: https://eclipse-ee4j.github.io/angus-mail/ -->
<angus-activation.version>2.0.2</angus-activation.version><!-- Align
with EE10 Activation 2.1: https://eclipse-ee4j.github.io/angus-activation/ -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]