Hello Matt, We are using ActiveMQ all version 5.16.2 and 5.16.3.
Regards, Deepti Sharma PMP® & ITIL -----Original Message----- From: Matt Pavlovich <mattr...@gmail.com> Sent: Monday, February 7, 2022 10:50 PM To: users@activemq.apache.org Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical) Hello Deepti- What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ. -Matt Pavlovich > On Feb 7, 2022, at 6:20 AM, Deepti Sharma S > <deepti.s.sha...@ericsson.com.INVALID> wrote: > > Hello Justin, > > I would like to follow-up on the release date of ActiveMQ 5.17.x version. I > have seen the below thread, however could not found the exact date/week for > the same. > > Could you please help here? > > Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you > please help to understand the procedure for the same. > > > Regards, > Deepti Sharma > PMP® & ITIL > > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Tuesday, January 18, 2022 9:09 PM > To: users@activemq.apache.org > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 > (Critical) > >> when we download the Active Mq from below Maven link the jar name is " > ActiveMQ all", however I could not found this from Active MQ website. > > All Maven artifacts are built from the source code. You can find links to all > the ActiveMQ source code repositories on the website [1]. You need to look in > the actual repository to see the code for a specific Maven module like > "activemq-all" which can be found here [2]. > >> I might miss the release date for 5.17... > > If you miss anything on the users mailing list you can go back and review the > archive [3] which is linked from the website [4]. > > > Justin > > [1] https://activemq.apache.org/contributing > [2] > https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444 > 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u= > https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq- > all [3] https://lists.apache.org/list.html?users@activemq.apache.org > [4] https://activemq.apache.org/contact > > On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S > <deepti.s.sha...@ericsson.com.invalid> wrote: > >> Hello Justin, >> >> The question is , when we download the Active Mq from below Maven >> link the jar name is " ActiveMQ all", however I could not found this >> from Active MQ website. >> >> I might miss the release date for 5.17, it would be helpful, if you >> could confirm the release date for the same. >> >> >> Regards, >> Deepti Sharma >> PMP® & ITIL >> >> >> -----Original Message----- >> From: Justin Bertram <jbert...@apache.org> >> Sent: Tuesday, January 18, 2022 8:33 PM >> To: users@activemq.apache.org >> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 >> (Critical) >> >>> Does Active MQ all (// >> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all >> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as >> Active MQ Classic? >> >> I don't understand the question. What exactly are you asking here? >> >>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x? >> >> This question has *already* been answered on this thread (and many >> other places on this mailing list). >> >> >> Justin >> >> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S < >> deepti.s.sha...@ericsson.com.invalid> wrote: >> >>> Hello All, >>> >>> 2 questions: >>> Does Active MQ all (// >>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all >>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as >>> Active MQ Classic? >>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x? >>> >>> >>> Regards, >>> Deepti Sharma >>> PMP® & ITIL >>> >>> >>> -----Original Message----- >>> From: Justin Bertram <jbert...@apache.org> >>> Sent: Sunday, January 9, 2022 1:29 AM >>> To: users@activemq.apache.org >>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 >>> (Critical) >>> >>> For what it's worth, it's already noted on the index page as well as >>> the "News" page as well as noted in multiple emails on both the >>> users and dev mailing lists. Even searches for "activemq >>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant >>> information in the >> first few results. >>> In my opinion if folks aren't finding the information it's because >>> they aren't looking. There's always going to be folks like that >> unfortunately. >>> >>> >>> Justin >>> >>> >>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre >>> <j...@nanthrax.net> >>> wrote: >>> >>>> Hi Tim, >>>> >>>> Good idea, I think it would be helpful to have it directly on index >>>> page and contact yeah. >>>> >>>> I can do the change if everyone agree. >>>> >>>> Thanks ! >>>> >>>> Regards >>>> JB >>>> >>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit : >>>>> >>>>> JB, should we put that link somewhere prominent on >>>>> https://activemq.apache.org/contact for a few months? I believe >>>>> all the users who posted questions about the CVE were first-time >>>>> posters who >>>> likely >>>>> went to that page before posting questions, so we might be able to >>>>> save everyone the time and frustration by heading off the question >>>>> for >>> folks. >>>>> >>>>> Tim >>>>> >>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre >>>>> <j...@nanthrax.net> >>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Again, a new time: >>>>>> >>>>>> https://activemq.apache.org/news/cve-2021-44228 >>>>>> >>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE >>>>>> because they are using log4j 1.x >>>>>> >>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1. >>>>>> >>>>>> Regards >>>>>> JB >>>>>> >>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S >>>>>>> <deepti.s.sha...@ericsson.com >>>> .INVALID> >>>>>> a écrit : >>>>>>> >>>>>>> Hello Team, >>>>>>> >>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 >>>>>>> (Critical), >>>> can >>>>>> you please confirm, when we have ActiveMQ all, version release >>>>>> which has this vulnerability fix and has Log4J version 2.17? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Deepti Sharma >>>>>>> PMP(r) & ITIL >>>>>>> >>>>>>> >>>>>> >>>>>> >>>> >>>> >>> >>> >> >> >
