HI Alex, You say below that the dojotoolkit will be updated in 8.0.5, but then you mention upgrading to the “latest 8.1.x version”. Was that a typo or do you expect an 8.1.0 release to be coming soon?
I was planning on upgrading from 7.1.x to 8.x and wanted to make sure I picked up this fix. BTW – any caveats to upgrading from 7 to 8 that anyone is aware of? I reviewed the release notes and it doesn’t seem like any breaking changes were made. Thanks. -- Tom From: Oleksandr Rudyy <oru...@gmail.com> Reply-To: "users@qpid.apache.org" <users@qpid.apache.org> Date: Sunday, March 14, 2021 at 4:22 PM To: "users@qpid.apache.org" <users@qpid.apache.org> Subject: Re: Addressing CVE-2020-5258 in Qpid Broker-J Hi Rajashekar, Thanks for bringing this to our attention. I committed a change upgrading dojotoolkit to version 1.16.3 on master and 8.0.x branches. It will be available in version 8.0.5. I am not planning to release a new 7.1.x version. We released 7.1.0 around two years ago in January 2019. A life cycle of major/minor versions is 2 years which includes building of maintenance releases with fixes for security and critical issues. The users of 7.1.x versions should upgrade their brokers to the latest 8.1.x version. Kind Regards, Alex [1] https://issues.apache.org/jira/browse/QPID-8511 On Tue, 9 Mar 2021 at 18:54, rhudumula <rhudum...@salesforce.com.invalid<mailto:rhudum...@salesforce.com.invalid>> wrote: Hi Qpid team, CVE-2020-5258 is reported against dojo-toolkit and the fix is available in these versions - 1.14.6 and 1.16.2. The latest Qpid Broker-J versions still seem to be using older dojo-toolkit versions. Any update on when the this will be addressed? Or is it safe to just pick the latest dojo-toolkit version? Thanks, Rajashekar -- Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org<mailto:users-unsubscr...@qpid.apache.org> For additional commands, e-mail: users-h...@qpid.apache.org<mailto:users-h...@qpid.apache.org> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org<mailto:users-unsubscr...@qpid.apache.org> For additional commands, e-mail: users-h...@qpid.apache.org<mailto:users-h...@qpid.apache.org>
