Tim, Thanks for the info. We are not expecting an immediate fix for the Log4J issue as there isn’t a direct upgrade from Log4J 1.x to Log4J 2.x - but I was hoping that the changes made for that issue had been merged back and incorporated into the release. However, it is good to know that ActiveMQ is not affected by that Log4J SocketServer issue. The other 2 issues (Shiro, XStream) are critically important to us and have already been resolved and so I look forward to using the new release to get the CVE fixes.
Best regards, Simon. On 27 Apr 2021, at 12:43, Tim Bain <tb...@alumni.duke.edu<mailto:tb...@alumni.duke.edu>> wrote: Note that the comments on AMQ-7426 (Log4J 2) state the following: ActiveMQ is not affected by CVE-2019-17571 directly as we don't use the SocketServer. The upgrade does not appear to be in 5.16.2, so expect that to remain in your scan results, and you'll have to manually adjudicate the finding. Tim On Tue, Apr 27, 2021, 3:32 AM Jonathan Gallimore < jonathan.gallim...@gmail.com<mailto:jonathan.gallim...@gmail.com>> wrote: I doubt it'll be long, but I can't speak for the PMC members. There's a legal aspect to reviewing releases, as well as checking that the actual binaries are sound, so reviewing can involve a lot of work. The 72 hours is a minimum time the vote has to be open for; its not unusual for votes to take longer to allow for the work that goes into review. Jon On Tue, Apr 27, 2021 at 10:25 AM Simon Billingsley <simon.billings...@matrixx.com.invalid<mailto:simon.billings...@matrixx.com.invalid>> wrote: Jon, That’s great news. It looks like the vote has been open for at least 4 days, so any ETA on when the vote will be closed? I can see that an additional binding vote is still required... Best regards, Simon. On 27 Apr 2021, at 09:42, Jonathan Gallimore < jonathan.gallim...@gmail.com<mailto:jonathan.gallim...@gmail.com> <mailto:jonathan.gallim...@gmail.com>> wrote: ActiveMQ 5.16.2 is being voted on at the moment
