Re: EXTERNAL: Re: Artemis MQ 2.36.0 Load Balancing questions

2024-10-25 Thread Justin Bertram
I'm not clear on a few points. First, you say that a producer sends messages to primary_UDN_1 server and then Consumer_UDN consumes all message types from that server. However, then the server from which "all message types" have been consumed (i.e. primary_UDN_1) forwards messages to primary_VM_2

[ANNOUNCE] ActiveMQ Artemis 2.38.0 Released

2024-10-25 Thread Justin Bertram
I'm pleased to announce the release of ActiveMQ Artemis 2.38.0. * Downloads: https://activemq.apache.org/components/artemis/download/ * Complete list of updates: https://activemq.apache.org/components/artemis/download/release-notes-2.38.0 I would like to highlight these improvements: - WebSocke

Re: CVE presence in artemis-2.37.0

2024-10-25 Thread Domenico Francesco Bruscino
A published CVE related to an artifact can also affect projects that depend on it. Disclosing the affected dependent projects in a public forum before they have a chance to provide a fixed version can cause security issues to their users. No harm in requesting a response by using the appropriate co

Re: CVE presence in artemis-2.37.0

2024-10-25 Thread david kerns
On Fri, Oct 25, 2024 at 6:21 AM Domenico Francesco Bruscino < bruscin...@gmail.com> wrote: > I strongly encourage you to report potential security vulnerabilities to > secur...@apache.org mailing lists first, before disclosing them in a > public > forum. Please see the page of the ASF Security Tea

RE: CVE presence in artemis-2.37.0

2024-10-25 Thread Anzile, Christophe
Hi Justin, Thanx for your reply. For Apache Geronimo, it's very strange because I don't put it either in my solution. Those 3 CVEs are reported on a module called 'console' with no version , so very strange. Probably a bug in the tool indeed. For the ones regarding logback and commons-io, it's

Re: CVE presence in artemis-2.37.0

2024-10-25 Thread Domenico Francesco Bruscino
I strongly encourage you to report potential security vulnerabilities to secur...@apache.org mailing lists first, before disclosing them in a public forum. Please see the page of the ASF Security Team[1] for further information and contact information. [1] https://www.apache.org/security/ On Fri,

Re: CVE presence in artemis-2.37.0

2024-10-25 Thread Justin Bertram
These first three are related to Apache Geronimo. I don't know why these would be reported for ActiveMQ Artemis. We don't ship any jars from Geronimo so these are not valid: * CVE-2008-5518 * CVE-2009-0038

CVE presence in artemis-2.37.0

2024-10-25 Thread Anzile, Christophe
Hi Our vulnerability scanning tool is reporting following CVEs for artemis 2.37.0 * CVE-2008-5518 * CVE-2009-0038 * CVE-2009-0039 *

Re: EXTERNAL: Re: Artemis MQ 2.36.0 Load Balancing questions

2024-10-25 Thread Justin Bertram
I looked on page 2 of the ArtemisMQ_Cluster_Oct172024.pptx in the archive which you attached to your original email, but I found no questions. However, I see that you've added them in your response. I find the questions and the configuration confusing. First, automatic discovery (e.g. via UDP) or