Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #861200,
regarding jessie-pu: package activemq/5.6.0+dfsg1-4+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861200
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi,
I would like to fix CVE-2015-7599 for Jessie. The security team marked
this issue as no-dsa. Please find attached the debdiff.
Regards,
Markus
diff -Nru activemq-5.6.0+dfsg1/debian/changelog
activemq-5.6.0+dfsg1/debian/changelog
--- activemq-5.6.0+dfsg1/debian/changelog 2016-03-18 22:24:26.000000000
+0100
+++ activemq-5.6.0+dfsg1/debian/changelog 2017-04-25 21:01:20.000000000
+0200
@@ -1,3 +1,11 @@
+activemq (5.6.0+dfsg1-4+deb8u3) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2015-7599:
+ DoS in activemq-core via shutdown command. (Closes: #860866)
+
+ -- Markus Koschany <[email protected]> Tue, 25 Apr 2017 21:01:20 +0200
+
activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high
* Team upload.
diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch
activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch
--- activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 1970-01-01
01:00:00.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 2017-04-25
21:01:20.000000000 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany <[email protected]>
+Date: Tue, 25 Apr 2017 20:59:50 +0200
+Subject: CVE-2015-7559
+
+Bug-Debian: https://bugs.debian.org/860866
+Bug-Upstream: https://issues.apache.org/jira/browse/AMQ-6470
+Origin: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e
+---
+ .../java/org/apache/activemq/ActiveMQConnection.java | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git
a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+index 57ca8f1..d5797d6 100755
+--- a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
++++ b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+@@ -1860,7 +1860,6 @@ public class ActiveMQConnection implements Connection,
TopicConnection, QueueCon
+
+ @Override
+ public Response processControlCommand(ControlCommand
command) throws Exception {
+- onControlCommand(command);
+ return null;
+ }
+
+@@ -2296,23 +2295,6 @@ public class ActiveMQConnection implements Connection,
TopicConnection, QueueCon
+ inputStreams.remove(stream);
+ }
+
+- protected void onControlCommand(ControlCommand command) {
+- String text = command.getCommand();
+- if (text != null) {
+- if ("shutdown".equals(text)) {
+- LOG.info("JVM told to shutdown");
+- System.exit(0);
+- }
+- if (false && "close".equals(text)){
+- LOG.error("Broker " + getBrokerInfo() + "shutdown
connection");
+- try {
+- close();
+- } catch (JMSException e) {
+- }
+- }
+- }
+- }
+-
+ protected void onConnectionControl(ConnectionControl command) {
+ if (command.isFaultTolerant()) {
+ this.optimizeAcknowledge = false;
diff -Nru activemq-5.6.0+dfsg1/debian/patches/series
activemq-5.6.0+dfsg1/debian/patches/series
--- activemq-5.6.0+dfsg1/debian/patches/series 2016-03-18 22:24:26.000000000
+0100
+++ activemq-5.6.0+dfsg1/debian/patches/series 2017-04-25 21:01:20.000000000
+0200
@@ -11,3 +11,4 @@
CVE-2014-3612.patch
CVE-2014-3576.patch
CVE-2015-5254.patch
+CVE-2015-7559.patch
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
