Preparing the release is cherry-picking the fixes (which I did). I didn't say I will submit the release to vote.
It's also the reason that we discuss on the mailing list. It's a community decision. If the community is ok with a release, we can consider it (EOL doesn't really exist on ASF projects, as we can always submit a release on very old branches if it's a community call). It seems we have a consensus to "push" for 5.19.x, I'm fine with that. Regards JB On Thu, Mar 5, 2026 at 10:04 AM Robbie Gemmell <[email protected]> wrote: > You did also say you were going to prepare a release soon. > > Users can certainly ask (though it would be nice if they did it on the > list, so discussion could take place for any other users to see), > though that doesnt mean it actually makes sense to do. A year past an > announced and effective EOL seems clearly not to, especially when > there is little if any barrier to upgrading to the year-old > replacement stream. > > Robbie > > On Thu, 5 Mar 2026 at 14:09, Jean-Baptiste Onofré <[email protected]> wrote: > > > > Hi > > > > I just shared that I got some requests from users. I'm trying to convince > > them to upgrade to 5.19.x (which is very close to 5.18.x and include the > > fixes already). > > > > Let me try to convince these users to upgrade to 5.19.x. > > > > Regards > > JB > > > > On Thu, Mar 5, 2026 at 8:17 AM Robbie Gemmell <[email protected]> > > wrote: > > > > > Not really seeing how releasing 5.18.x makes sense a year after saying > > > it was no longer supported with the 5.18.7 release (after 5.19.0), > > > removing it from the download page at that time, and having not > > > released the stream since (e.g for any of the dependency CVE fixes in > > > that time) whilst all the other streams have had multiple releases or > > > even been superceded and dropped themselves? > > > > > > Seems especially odd given 5.18.x and 5.19.x have pretty similar > > > supportability/requirements which is why it was dropped. I'm pretty > > > sure I even recall seeing some initial discussion of late about when > > > to drop 5.19.x. > > > > > > It will also still be marked as being affected by CVE-2025-66168 by > > > scanners even if it contains the fix, since the version details just > > > announced for that CVE included everything before 5.19.2. > > > > > > Is 5.18.x EOL or not? > > > > > > Robbie > > > > > > On Tue, 3 Mar 2026 at 21:55, Jean-Baptiste Onofré <[email protected]> > wrote: > > > > > > > > Hi, > > > > > > > > I am currently reviewing the security advisories. I have also > received > > > > several inquiries from the community regarding the possibility of a > new > > > > 5.18.x release that includes only the latest CVE fixes. > > > > > > > > I will begin preparing that release soon. > > > > > > > > Regards, > > > > JB > > > > > > > > On Tue, Mar 3, 2026 at 3:13 PM Casey A. Owen via users < > > > > [email protected]> wrote: > > > > > > > > > Hello, > > > > > > > > > > Could someone please clarify why the listed CVEs are not > documented in > > > the > > > > > Apache ActiveMQ Classic Security Advisories at > > > > > https://activemq.apache.org/components/classic/security? > > > > > > > > > > Thank you for your prompt attention to this matter, > > > > > > > > > > > > > > > Casey Owen | Sr Applications Analyst > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > For further information, visit: https://activemq.apache.org/contact > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > For further information, visit: https://activemq.apache.org/contact > > >
