Re: Subscribe to Security Advisories

Tue, 21 Jan 2025 09:36:06 -0800 

Part of the official process [1] is that when a release contains a fix for
a CVE then the CVE is announced to the same list(s) where the release
announcement is sent (which includes the dev and users list). However,
sometimes that process is not completed properly.

You said that none of the issues listed for Classic [2] or Artemis [3] are
mentioned/announced on the users of dev list, but that is not accurate.
These CVEs weren't announced:

 - Classic
    - CVE-2018-8006
 - Artemis
    - CVE-2023-50780

However, all of these were announced:

 - Classic
    - CVE-2024-32114 [4]
    - CVE-2023-46604 [5]
    - CVE-2022-41678 [6]
    - CVE-2021-26117 [7]
    - CVE-2020-13947 [8]
    - CVE-2020-13920 [9]
    - CVE-2020-11998 [10]
    - CVE-2020-1941 [11]
    - CVE-2019-0222 [12]
    - CVE-2018-11775 [13]
    - CVE-2017-15709 [14]
    - CVE-2015-7559 [15]
    - CVE-2016-6810 [16]
    - CVE-2016-0734 [17]
    - CVE-2016-0782 [18]
    - CVE-2016-3088 [19]
    - CVE-2015-5254 [20]
    - CVE-2015-1830 [21]
    - CVE-2014-3576 [22]
    - CVE-2014-3600 [23]
    - CVE-2014-3612 [23]
    - CVE-2014-8110 [23]
  - Artemis
    - CVE-2022-35278 [24]
    - CVE-2022-23913 [25]
    - CVE-2021-26117 [26]
    - CVE-2021-26118 [27]
    - CVE-2020-13932 [28]
    - CVE-2017-12174 [29]
    - CVE-2016-4978 [30]

Therefore, if you want to stay up-to-date with CVE announcements I
recommend you subscribe to the users list.


Justin

[1] https://www.apache.org/security/committers.html#announce
[2] https://activemq.apache.org/components/classic/security
[3] https://activemq.apache.org/components/artemis/security
[4] https://lists.apache.org/thread/3jv37jmsntkz8smdsz9pc81gm0cgzmb5
[5] https://lists.apache.org/thread/y1ztwb3gktny47mj9sdv2sbw49nkgsgp
[6] https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl
[7] https://lists.apache.org/thread/ng3clz6d2t7lf2tszrgx9dyblg5bly33
[8] https://lists.apache.org/thread/ykz6opjl6jx0wnjjr07yxmpltrotph6g
[9] https://lists.apache.org/thread/2ygfjqm7zgjyjnlhg0t9j3d2kkywlrr7
[10] https://lists.apache.org/thread/schqxfr96qgldtgkb2p7bszrgvnlw1qw
[11] https://lists.apache.org/thread/1vwm0fs5hn0jpzhsb2k3y4fsp3cfz0ht
[12] https://lists.apache.org/thread/r9xg4n7jrk9pop0mn92x8psf58w3ywp7
[13] https://lists.apache.org/thread/9nb30zn32cc9gfhr35j68f73g1c8jmp7
[14] https://lists.apache.org/thread/o67jcmzsscc9stkdff3s8oq4wh7l8rq0
[15] https://lists.apache.org/thread/56ldcfqrfpjc4hrt5t9m7hy660t0mhbv
[16 https://lists.apache.org/thread/1pobsj2khdm7xsc5dmwy3wnlm19l7wfr
[17] https://lists.apache.org/thread/pnqzbbs0430zx8tzhk2vpp87zt78zvsh
[18] https://lists.apache.org/thread/lqff101srwjntrdtgw22n32srosl2psc
[19] https://lists.apache.org/thread/6h7zhdl112bz8nzqtrq5vv2os84t6drn
[20] https://lists.apache.org/thread/7kvrrhjtlw8x2wvmgrpoob8q7wy1w3hf
[21] https://lists.apache.org/thread/co0g3dt5orpqvcj2b0mqg1owy5jlcdmw
[22] https://lists.apache.org/thread/tl5db4y4go6kogm1dc3h318b1hco9n5o
[23] https://lists.apache.org/thread/z7hs4s1q0ow2bvtgmbh6hrgqdb10sq9d
[24] https://lists.apache.org/thread/6q0fdxtg6zhqmzq27fpm986tqdtw2zh3
[25] https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2
[26] https://lists.apache.org/thread/ng3clz6d2t7lf2tszrgx9dyblg5bly33
[27] https://lists.apache.org/thread/p74v46k3hpp6z819tt5kkwmllknrkdgj
[28] https://lists.apache.org/thread/6yyc24y3yt3c0w9dsk5wovc0wrbg30lr
[29] https://lists.apache.org/thread/r025jwylg6vnnfospdyp3n09bv6z61bv
[30] https://lists.apache.org/thread/l3g1z24x0ownjg4kq2q47y98cxomnvd3


On Mon, Jan 20, 2025 at 2:55 AM Valentijn Scholten
<valentijn.schol...@iodigital.com.invalid> wrote:

> Hi,
>
>
>
> Is there any way to “subscribe” to Security Advisories, or something like
> an RSS feed?
>
>
>
> I notice that none the CVEs mentioned in
>
>
>
>    - https://activemq.apache.org/components/classic/security
>    - https://activemq.apache.org/components/artemis/security
>
>
>
> Are not mentioned/announced here in the “users” mailing list nor “dev”
> mailing list.
>
>
>
> Valentijn
>
>
> Valentijn​​​​ Scholten
>
> Security Architect
>
> Amsterdam
> <https://www.iodigital.com/nl/over-ons/campussen/campus-Amsterdam> ‑
> Den Bosch
> <https://www.iodigital.com/nl/over-ons/campussen/campus-Den-Bosch> ‑
> Eindhoven
> <https://www.iodigital.com/nl/over-ons/campussen/campus-Eindhoven> ‑
> Rotterdam
> <https://www.iodigital.com/nl/over-ons/campussen/campus-Rotterdam> ‑
> Utrecht <https://www.iodigital.com/nl/over-ons/campussen/campus-Utrecht>
>
> T: +31882013140
>
>  ‑
>
> M: +31611348147
>
> www.iodigital.com
>
> Disclaimer: This email and any attachments are intended solely for the
> intended recipient and may contain confidential or privileged information.
> ​If you have received this email in error, please notify the sender
> immediately and delete the email from your system.
> ​Unauthorized use, disclosure, copying, or distribution of this email is
> strictly prohibited.
>

Reply via email to