Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hi, I would like to fix CVE-2015-7599 for Jessie. The security team marked this issue as no-dsa. Please find attached the debdiff. Regards, Markus
diff -Nru activemq-5.6.0+dfsg1/debian/changelog activemq-5.6.0+dfsg1/debian/changelog --- activemq-5.6.0+dfsg1/debian/changelog 2016-03-18 22:24:26.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/changelog 2017-04-25 21:01:20.000000000 +0200 @@ -1,3 +1,11 @@ +activemq (5.6.0+dfsg1-4+deb8u3) jessie; urgency=medium + + * Team upload. + * Fix CVE-2015-7599: + DoS in activemq-core via shutdown command. (Closes: #860866) + + -- Markus Koschany <[email protected]> Tue, 25 Apr 2017 21:01:20 +0200 + activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high * Team upload. diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch --- activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 1970-01-01 01:00:00.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 2017-04-25 21:01:20.000000000 +0200 @@ -0,0 +1,47 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 25 Apr 2017 20:59:50 +0200 +Subject: CVE-2015-7559 + +Bug-Debian: https://bugs.debian.org/860866 +Bug-Upstream: https://issues.apache.org/jira/browse/AMQ-6470 +Origin: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e +--- + .../java/org/apache/activemq/ActiveMQConnection.java | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java +index 57ca8f1..d5797d6 100755 +--- a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java ++++ b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java +@@ -1860,7 +1860,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon + + @Override + public Response processControlCommand(ControlCommand command) throws Exception { +- onControlCommand(command); + return null; + } + +@@ -2296,23 +2295,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon + inputStreams.remove(stream); + } + +- protected void onControlCommand(ControlCommand command) { +- String text = command.getCommand(); +- if (text != null) { +- if ("shutdown".equals(text)) { +- LOG.info("JVM told to shutdown"); +- System.exit(0); +- } +- if (false && "close".equals(text)){ +- LOG.error("Broker " + getBrokerInfo() + "shutdown connection"); +- try { +- close(); +- } catch (JMSException e) { +- } +- } +- } +- } +- + protected void onConnectionControl(ConnectionControl command) { + if (command.isFaultTolerant()) { + this.optimizeAcknowledge = false; diff -Nru activemq-5.6.0+dfsg1/debian/patches/series activemq-5.6.0+dfsg1/debian/patches/series --- activemq-5.6.0+dfsg1/debian/patches/series 2016-03-18 22:24:26.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/patches/series 2017-04-25 21:01:20.000000000 +0200 @@ -11,3 +11,4 @@ CVE-2014-3612.patch CVE-2014-3576.patch CVE-2015-5254.patch +CVE-2015-7559.patch
