'Re: Updating dependencies'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-dev
Subject:    Re: Updating dependencies
From:       Jonathan Gallimore <jonathan.gallimore () gmail ! com>
Date:       2019-03-15 15:41:15
Message-ID: CAGRgoZifgJB2HFHn=-Vnj5Omxhz-oW+uv_eFPoYORXD_mjKshQ () mail ! gmail ! com
[Download RAW message or body]


Hi Christopher,

Many thanks for the link to the JIRA ticket - I'll follow that, and provide
any updates I can.

Jon

On Fri, Mar 15, 2019 at 3:20 PM Christopher Shannon <
christopher.l.shannon@gmail.com> wrote:

> This is being tracked already here:
> https://issues.apache.org/jira/browse/AMQ-7103
>
> Some dependencies were updated for 5.15.9 which is under vote now but as
> you found some other ones cause failures and need to be looked at.
>
> See:
>
> http://activemq.2283324.n4.nabble.com/VOTE-Apache-ActiveMQ-5-15-9-tp4749473.html
>
> On Fri, Mar 15, 2019 at 10:13 AM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
> > Hi
> >
> > I've been looking at some of the dependencies ActiveMQ uses and
> attempting
> > to update the versions, as a few have CVEs listed against them. I
> > appreciate that doesn't necessarily mean ActiveMQ is vulnerable to those
> > issues filed against those dependencies, but guess its good to look at
> > these and keep them up to date.
> >
> > I've specifically attempted to update:
> >
> > jackson-databind -> 2.9.8
> > spring -> 4.3.22.RELEASE
> > shiro -> 1.4.0
> > zookeeper -> 3.4.13
> > guava -> 27.0.1
> > jetty -> 9.4.15.v20190215
> >
> > I'm currently working through a few test failures, particularly in
> > activemq-http which look like they relate to the jetty update, and
> checking
> > host names on the certificates. Changing the host from 127.0.0.1 to
> > localhost in the URL on the client side helps for most tests, although
> > there are some failures around using client certificates that I'm working
> > through. I'll send a PR when get the tests passing.
> >
> > If there are any tips or feedback anyone has around any of this I would
> be
> > grateful - particularly if anyone can see any issue with updating these
> or
> > if you think I'm barking up the wrong tree.
> >
> > Many thanks
> >
> > Jon
> >
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic