Hello Doug- Yes. You should be able to update the Velocity dependency to Velocity 2.3 without any problems.
Ref: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23 <http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23> Ref: https://velocity.apache.org/engine/2.3/changes.html <https://velocity.apache.org/engine/2.3/changes.html> ActiveMQ 5.15.x release stream is closed, efforts are now on 5.16.x and the 5.17.x WIP streams. However, swapping out the velocity jar on your own shouldn’t have any impacts. You’ll have to ping the Camel users mailing list to ask about a 2.25.x updated release. Again, I suspect just updating the jar on your own should work fine. NOTE: To other readers— this is not a new ActiveMQ security issue, since ActiveMQ has upgraded Velocity to 2.3 in 5.16.x Thanks, Matt Pavlovich > On Aug 30, 2021, at 3:36 PM, Jackson, Douglas <douglas.s.jack...@siemens.com> > wrote: > > Hi! > I am using activemq 5.16.3 and camel 2.25.4. There appears to be some > security issues with them based on a tool called Dependency-check. > It also flags a security issue with the velocity engine 2.0 (which > camel-velocity 2.25.4 lists as a dependency). > Are these valid? > Is it possible to use a more recent version of the velocity-engine with the > camel-velocity 2.5.4? > Are there any plans to address these in the 5.15.x and 2.25.x releases? > > CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571> > CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11971> > CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936> > > Thanks in advance for any guidance, > > -Doug >
