-
Bug
-
Resolution: Done
-
Major
-
None
-
AMQ 7.11.5.GA
-
None
A serious security defect, logged as CVE-2023-46604, was logged against OpenWire protocol handlers in 2023. The CVE was reported fixed in AMQ 7.11.4, but there is a file `activemq-openwire-legacy-5.11.0.redhat-630517.jar` dated Jan 2023. That's before the fix.
This is confusing to customers, and/or their security scanners. We tell customers that the CVE is fixed, but a casual look at the timestamps suggests that the JARs are still affected. To see when the JARs were actually built, we have to look at the timestamps in the enclosed files, or unpack specific files in the `META-INF/` directory.
I understand that the 'incorrect' timestamps are an artefact of the product build process, and do not reflect the actual build date. It's clear, with detailed inspection, that the changes for the CVE have been incorporated. But it's not obvious to customers.
It seems logical to me that the timestamps on files should reflect the time when their contents were updated.