Hi Santiago, Le 07/10/2024 à 20:21, Santiago Ruano Rincón a écrit :
Dear teams,activemq is listed in both dla-needed and dsa-needed, and I claimed it for bullseye LTS. CVE-2023-46604 was fixed in 5.17.6 and 5.16.7 and the patches for both are clearly identified upstream:
[...]
I have also a question about bullseye: Pierre, I see in debian/5.16.1-2, the a6be349b21ab01a4a5572906e45933406073ed29 commit "Adding the missing xpp3 dependency to the stomp pom.xml". That sounds like a important bug, but I don't find anything filed about it. Is that something that should be fixed in oldstable? I guess no, but I want to be sure.
You're right, no need to fix this in oldstable: no issue related to this in bullseye. I did not forward the patch upstream at that time because it was an issue not in activemq, but in libxstream-java which does not declare the correct classpath for its jar. I wrote this patch to have activemq build but I intended it to be temporary thanks to a fix in libxstream-java -- which I never made up to now, will do so in the upcoming days!
Cheers, -- Santiago
All the best, -- Pierre
OpenPGP_signature.asc
Description: OpenPGP digital signature
