Hi, Thanks. I couldn’t find any of the CVEs using the search on https://lists.apache.org/list?users@activemq.apache.org. Turns out that any hits are not shown unless I click the down arrow below the calendar on the left and find the month in which the CVE was published to the mailing list.
Thank you for answering, Valentijn Valentijn Scholten Security Architect Amsterdam - Den Bosch - Eindhoven - Rotterdam - Utrecht T: +31882013140 - M: +31611348147 www.iodigital.com Disclaimer: This email and any attachments are intended solely for the intended recipient and may contain confidential or privileged information. If you have received this email in error, please notify the sender immediately and delete the email from your system. Unauthorized use, disclosure, copying, or distribution of this email is strictly prohibited. From: Justin Bertram <jbert...@apache.org> Sent: Tuesday, 21 January 2025 18:27 To: users@activemq.apache.org Subject: Re: Subscribe to Security Advisories You don't often get email from jbert...@apache.org<mailto:jbert...@apache.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Part of the official process [1] is that when a release contains a fix for a CVE then the CVE is announced to the same list(s) where the release announcement is sent (which includes the dev and users list). However, sometimes that process is not completed properly. You said that none of the issues listed for Classic [2] or Artemis [3] are mentioned/announced on the users of dev list, but that is not accurate. These CVEs weren't announced: - Classic - CVE-2018-8006 - Artemis - CVE-2023-50780 However, all of these were announced: - Classic - CVE-2024-32114 [4] - CVE-2023-46604 [5] - CVE-2022-41678 [6] - CVE-2021-26117 [7] - CVE-2020-13947 [8] - CVE-2020-13920 [9] - CVE-2020-11998 [10] - CVE-2020-1941 [11] - CVE-2019-0222 [12] - CVE-2018-11775 [13] - CVE-2017-15709 [14] - CVE-2015-7559 [15] - CVE-2016-6810 [16] - CVE-2016-0734 [17] - CVE-2016-0782 [18] - CVE-2016-3088 [19] - CVE-2015-5254 [20] - CVE-2015-1830 [21] - CVE-2014-3576 [22] - CVE-2014-3600 [23] - CVE-2014-3612 [23] - CVE-2014-8110 [23] - Artemis - CVE-2022-35278 [24] - CVE-2022-23913 [25] - CVE-2021-26117 [26] - CVE-2021-26118 [27] - CVE-2020-13932 [28] - CVE-2017-12174 [29] - CVE-2016-4978 [30] Therefore, if you want to stay up-to-date with CVE announcements I recommend you subscribe to the users list. Justin [1] https://www.apache.org/security/committers.html#announce [2] https://activemq.apache.org/components/classic/security [3] https://activemq.apache.org/components/artemis/security [4] https://lists.apache.org/thread/3jv37jmsntkz8smdsz9pc81gm0cgzmb5 [5] https://lists.apache.org/thread/y1ztwb3gktny47mj9sdv2sbw49nkgsgp [6] https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl [7] https://lists.apache.org/thread/ng3clz6d2t7lf2tszrgx9dyblg5bly33 [8] https://lists.apache.org/thread/ykz6opjl6jx0wnjjr07yxmpltrotph6g [9] https://lists.apache.org/thread/2ygfjqm7zgjyjnlhg0t9j3d2kkywlrr7 [10] https://lists.apache.org/thread/schqxfr96qgldtgkb2p7bszrgvnlw1qw [11] https://lists.apache.org/thread/1vwm0fs5hn0jpzhsb2k3y4fsp3cfz0ht [12] https://lists.apache.org/thread/r9xg4n7jrk9pop0mn92x8psf58w3ywp7 [13] https://lists.apache.org/thread/9nb30zn32cc9gfhr35j68f73g1c8jmp7 [14] https://lists.apache.org/thread/o67jcmzsscc9stkdff3s8oq4wh7l8rq0 [15] https://lists.apache.org/thread/56ldcfqrfpjc4hrt5t9m7hy660t0mhbv [16 https://lists.apache.org/thread/1pobsj2khdm7xsc5dmwy3wnlm19l7wfr [17] https://lists.apache.org/thread/pnqzbbs0430zx8tzhk2vpp87zt78zvsh [18] https://lists.apache.org/thread/lqff101srwjntrdtgw22n32srosl2psc [19] https://lists.apache.org/thread/6h7zhdl112bz8nzqtrq5vv2os84t6drn [20] https://lists.apache.org/thread/7kvrrhjtlw8x2wvmgrpoob8q7wy1w3hf [21] https://lists.apache.org/thread/co0g3dt5orpqvcj2b0mqg1owy5jlcdmw [22] https://lists.apache.org/thread/tl5db4y4go6kogm1dc3h318b1hco9n5o [23] https://lists.apache.org/thread/z7hs4s1q0ow2bvtgmbh6hrgqdb10sq9d [24] https://lists.apache.org/thread/6q0fdxtg6zhqmzq27fpm986tqdtw2zh3 [25] https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2 [26] https://lists.apache.org/thread/ng3clz6d2t7lf2tszrgx9dyblg5bly33 [27] https://lists.apache.org/thread/p74v46k3hpp6z819tt5kkwmllknrkdgj [28] https://lists.apache.org/thread/6yyc24y3yt3c0w9dsk5wovc0wrbg30lr [29] https://lists.apache.org/thread/r025jwylg6vnnfospdyp3n09bv6z61bv [30] https://lists.apache.org/thread/l3g1z24x0ownjg4kq2q47y98cxomnvd3 On Mon, Jan 20, 2025 at 2:55 AM Valentijn Scholten <valentijn.schol...@iodigital.com.invalid<mailto:valentijn.schol...@iodigital.com.invalid>> wrote: Hi, Is there any way to “subscribe” to Security Advisories, or something like an RSS feed? I notice that none the CVEs mentioned in * https://activemq.apache.org/components/classic/security * https://activemq.apache.org/components/artemis/security Are not mentioned/announced here in the “users” mailing list nor “dev” mailing list. Valentijn Valentijn Scholten Security Architect [cid:ii_19489b23ace8346b3811] Amsterdam<https://www.iodigital.com/nl/over-ons/campussen/campus-Amsterdam> ‑ Den Bosch<https://www.iodigital.com/nl/over-ons/campussen/campus-Den-Bosch> ‑ Eindhoven<https://www.iodigital.com/nl/over-ons/campussen/campus-Eindhoven> ‑ Rotterdam<https://www.iodigital.com/nl/over-ons/campussen/campus-Rotterdam> ‑ Utrecht<https://www.iodigital.com/nl/over-ons/campussen/campus-Utrecht> T: +31882013140<tel:+31882013140> ‑ M: +31611348147<tel:+31611348147> www.iodigital.com<https://www.iodigital.com/> Disclaimer: This email and any attachments are intended solely for the intended recipient and may contain confidential or privileged information. If you have received this email in error, please notify the sender immediately and delete the email from your system. Unauthorized use, disclosure, copying, or distribution of this email is strictly prohibited.
