DPE-3220 Backport security fixes from Camel 4.14.x.#159
Conversation
CVE-2026-40453 camel-coap backport from 4.14.6 CVE-2026-33454 camel-mail backport from 4.14.6
CVE-2026-27172 camel-consul from 4.14.6 CVE-2026-40453 camel-google-pubsub from 4.14.6 CVE-2026-40453 camel-jms from 4.14.6 CVE-2026-40453 camel-sjms from 4.14.6 CVE-2026-40473 camel-mina from 4.14.6
CVE-2026-47323 camel-cxf-rest, camel-cxf-transport, camel-knative-http from 4.14.6 CVE-2026-40860 camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6 from 4.14.7 CVE-2026-40858 camel-infinispan from 4.14.7
andreasmattes
force-pushed
the
bugfix/tesb/apache-camel-4.8.1.x/DPE-3220
branch
2 times, most recently
from
e9769b4 to
5b7c76f
Compare
andreasmattes
force-pushed
the
bugfix/tesb/apache-camel-4.8.1.x/DPE-3220
branch
from
5b7c76f to
3f5e1fa
Compare
|
Sounds weird, it looks like you backported a new feature introduced in 4.14 https://issues.apache.org/jira/browse/CAMEL-23222 along with its security fix. Is-it intended? |
|
Same remark for Google Pubsub https://issues.apache.org/jira/browse/CAMEL-22403. It is a new feature introduced in 4.14, so I don't get why we need to backport it to fix the CVE introduced by this feature. |
|
|
| props.add("exceptionHandler"); | ||
| props.add("exchangePattern"); | ||
| props.add("headerFilterStrategy"); | ||
| props.add("includeAllGoogleProperties"); |
There was a problem hiding this comment.
I'm not sure it is a good idea to introduce includeAllGoogleProperties in a patch version
essobedo
left a comment
essobedo
left a comment
There was a problem hiding this comment.
Congrats, huge work. I approve it as it is, but I still want to say that I'm not really fan of sometimes partial backports of features to get CVE fixes. It may be even more complex in the future to maintain this branch due to those partial backports.
2 participants
CVE-2026-40453 camel-coap backport from 4.14.6
CVE-2026-33454 camel-mail backport from 4.14.6