Thanks for the explanation. I indeed checked the wrong dependency.
While the CVE was published on Friday 27th, I checked Sunday 29th
October with dependency-check, and at that time no issue was shown.
After that, I updated dependencies myself, so dependency-check would not
find anything any mo
I believe you're looking at the wrong Maven dependency. The two vulnerable
dependencies are:
- activemq-client:
https://central.sonatype.com/artifact/org.apache.activemq/activemq-client/versions
- activemq-openwire-legacy:
https://central.sonatype.com/artifact/org.apache.activemq/activemq-open
Hi,
The fix is actually in activemq-client (which the broker uses too), so I
suspect that is the artifact that is tagged. Have a look at
https://central.sonatype.com/artifact/org.apache.activemq/activemq-client/versions
and see if that helps.
Jon
On Mon, Nov 13, 2023 at 3:11 PM Wim van Ravesteij
