'Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-dev
Subject:    Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)
From:       Jean-Baptiste_Onofré <jb () nanthrax ! net>
Date:       2022-04-21 4:25:34
Message-ID: CAB8EV3QjvvM28smPisC=acY9Zwz2hoObfSLuKOnzuYDiJYK8FQ () mail ! gmail ! com
[Download RAW message or body]


Hi guys

We are finally almost ready for 5.17.1 release. Only two Jira with PRs are
under review.
I will work on these ones today.

I plan to submit 5.17.1 to vote tomorrow.

Thanks
Regards
JB

Le lun. 11 avr. 2022 �  07:50, Jean-Baptiste Onofré <jb@nanthrax.net> a
écrit :

> Hi guys,
>
> Quick update about ActiveMQ 5.17.1 release.
>
> We have the last update PRs to merge and a couple of fixes to do. I'm
> working on it this week. I will submit 5.17.1 to vote by the end of
> the week.
>
> Regards
> JB
>
> On Sat, Apr 2, 2022 at 6:11 AM Jean-Baptiste Onofré <jb@nanthrax.net>
> wrote:
> >
> > Hi Bruce;
> >
> > Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use
> > Spring (only broker does).
> >
> > Regards
> > JB
> >
> > On Fri, Apr 1, 2022 at 11:41 PM W B D <wbd@users.sourceforge.net> wrote:
> > >
> > > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE
> 11+ (or
> > > >1.8 in any case) at runtime, even if only using the client JAR
> (without
> > > the additional dependencies required to support embedded brokers using
> the
> > > vm and peer transports, for example).
> > >
> > > And second, please confirm, I don't need to worry about these Spring
> > > related vulnerabilities if using only the client JAR e.g. for tcp or
> > > failover connections, with no embedded brokers.
> > >
> > > If this second point is correct, then at least it shouldn't be a big
> deal
> > > if some of our client applications do need to reference ActiveMQ client
> > > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.
> > >
> > > Thanks,
> > > Bruce D
> > >
> > > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattrpav@gmail.com>
> wrote:
> > >
> > > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x
> and
> > > > some 5.16.x would not be impacted.
> > > >
> > > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattrpav@gmail.com>
> wrote:
> > > > >
> > > > > @JB — Agreed, so far there is no published exploit that would
> impact
> > > > ActiveMQ.
> > > > >
> > > > > Here is the lates I was able to find from Spring regarding
> backports
> > > > (sounds like no 4.x patch is coming):
> > > > >
> > > > > ref:
> https://github.com/spring-projects/spring-framework/issues/28260 <
> > > > https://github.com/spring-projects/spring-framework/issues/28260>
> > > > >
> > > > > Thanks,
> > > > > Matt Pavlovich
> > > > >
> > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <
> jb@nanthrax.net
> > > > <mailto:jb@nanthrax.net>> wrote:
> > > > >>
> > > > >> Hi,
> > > > >>
> > > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a
> lot of
> > > > >> users are still using 5.15.x/5.16.x, so, I would not be too
> "strict"
> > > > >> ;)
> > > > >>
> > > > >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> > > > >>
> > > > >> Regards
> > > > >> JB
> > > > >>
> > > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <
> mattrpav@gmail.com
> > > > <mailto:mattrpav@gmail.com>> wrote:
> > > > >>>
> > > > >>> @JB—
> > > > >>>
> > > > >>> The Spring release documentation is indicating that "older
> > > > unsupported" releases impacted— ie Spring 4.x used by ActiveMQ
> 5.16.x.
> > > > >>>
> > > > >>> If we do not get a Spring 4.x fix, we may need a corresponding
> > > > announcement deprecating 5.16.x.
> > > > >>>
> > > > >>> Thoughts?
> > > > >>> Matt Pavlovich
> > > > >>>
> > > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <
> jb@nanthrax.net
> > > > <mailto:jb@nanthrax.net>> wrote:
> > > > >>>>
> > > > >>>> Hi guys,
> > > > >>>>
> > > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week,
> probably to
> > > > >>>> submit it to vote during the weekend or next week.
> > > > >>>>
> > > > >>>> One of the main reasons is to update to Spring 5.3.18 which
> includes
> > > > >>>> CVE fixes (
> > > >
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > > <
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > > >).
> > > > >>>> I also have other fixes/updates to add.
> > > > >>>>
> > > > >>>> Regards
> > > > >>>> JB
> > > > >>>
> > > > >
> > > >
> > > >
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic