Posts

Showing posts from 2022

Apache Karaf runtime 4.4.0 has been released!

Apache Karaf runtime 4.4.0 has been released, and it's a new milestone on the Karaf runtime roadmap. We change the major version numbering when significant changes and updates are including in a release. It's the case for 4.4.0, starting the 4.4.x series. Let's take a quick tour on Karaf 4.4.x. OSGi R8 Karaf 4.4.x is now powered by OSGi R8 specification. It means that Felix Framework and Equinox have been upgraded to support this OSGi release: Apache Felix Framework 7.0.3 Equinox 3.17.200 Karaf 4.4.x also doesn't use OSGi compendium artifact anymore: it now uses artifacts for each "atomic" service bundles. It's much more flexible, installing exactly the required bundle instead of having systematically the "uber" compendium bundle. OSGi R8 core doesn't bring big changes in the Karaf context, but two additions are interesting though: Condition service: in OSGi, a condition is simply a component, that registers the marke...

Apache ActiveMQ 5.17.0 is there!

Finally, after several months of work, Apache ActiveMQ 5.17.0 has been released. This is a major milestone in Apache ActiveMQ roadmap, bringing lot of changes, and already preparing ActiveMQ 5.18.x. Let's take a quick tour on some major changes in ActiveMQ 5.17.0. JDK 11+ If ActiveMQ 5.16.x already supported JDK 11+ at runtime, the build was still using JDK 8. ActiveMQ 5.17.0 now requires JDK 11+ for both build and runtime. Spring 5.x Before ActiveMQ 5.17.0, we used Spring 4.x, a deprecated (not maintained) version of Spring. It was a concern as Spring 5.x includes improvements and fixes, especially CVE fixes. So, it made sense to bump to Spring 5.x (latest available major version right now). From an user standpoint, nothing change, the main conf/activemq.xml is basically the same. Log4j 2.x If ActiveMQ 5.16.4 switched from log4j 1.x to reload4j, in order to fix CVE issues (see Apache ActiveMQ 5.16.4, reload4j and more for details). In ActiveMQ 5.17.x, we decided ...

Apache ActiveMQ 5.16.4, reload4j and more

Apache ActiveMQ 5.16.4 has just been released. This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes. Reload4j replaces log4j Apache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue. reload4j ( https://reload4j.qos.ch/ ) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues. Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17: CVE-2021-4104 (JMSAppender) CVE-2022-23302 (JMSSink) CVE-2019-17571 (SocketServer) CVE-2020-9493 and CVE-2022-23307 (Chainsaw) 2022-23305 (JDBCAppender) broken MDC in newer JDKs XML entity injection attack CVE-2020-9488 (SMTPAppender) There's no impact for users: the conf/log4j.properties configuration file is the same as before, just the jar files changed. If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ...