Skip to content

Bump dependencies for CVE fixes on 6.2.x#2030

Open
jbonofre wants to merge 1 commit into
apache:activemq-6.2.xfrom
jbonofre:bump-deps-cve-6.2.x
Open

Bump dependencies for CVE fixes on 6.2.x#2030
jbonofre wants to merge 1 commit into
apache:activemq-6.2.xfrom
jbonofre:bump-deps-cve-6.2.x

Conversation

@jbonofre
Copy link
Copy Markdown
Member

@jbonofre jbonofre commented May 20, 2026
edited
Loading

Bumps four dependency properties in the parent pom.xml to pick up published CVE fixes / patch releases for the 6.2.x line:

Dependency From To Notes
camel-version 4.14.4 4.14.7 CVE-2026-47323 (CXF/Knative header injection -> RCE), CVE-2026-27172 (ConsulRegistry deserialization), CVE-2026-28367 (request smuggling). Latest 4.14.x LTS patch.
jolokia-version 2.5.0 2.6.0 Routine patch bump.
snappy-version 1.1.2 1.1.10.7 CVE-2023-34455, CVE-2023-43642 (DoS via unchecked chunk length). Property is currently dead (no ${snappy-version} reference) but kept for hygiene.
spring-version 6.2.16 6.2.18 Pulls March/April 2026 Spring Framework fixes.

Jetty was evaluated but 11.0.26 is already the latest 11.0.x on Maven Central, so no bump.

@jbonofre
Bump dependencies for CVE fixes on 6.2.x
d744bb2 
- camel 4.14.4 -> 4.14.7 (CVE-2026-47323, CVE-2026-27172, CVE-2026-28367)
- jolokia 2.5.0 -> 2.6.0
- snappy 1.1.2 -> 1.1.10.7 (CVE-2023-34455, CVE-2023-43642)
- spring 6.2.16 -> 6.2.18
@jbonofre jbonofre requested a review from cshannon May 20, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cshannon cshannon cshannon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbonofre @cshannon