Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package activemq, the version 5.6.0+dfsg1-4 fixes two security issues. Thank you unblock activemq/5.6.0+dfsg1-4 diff -Nru activemq-5.6.0+dfsg1/debian/changelog activemq-5.6.0+dfsg1/debian/changelog --- activemq-5.6.0+dfsg1/debian/changelog 2014-11-21 14:02:18.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/changelog 2015-02-18 20:04:41.000000000 +0100 @@ -1,3 +1,14 @@ +activemq (5.6.0+dfsg1-4) unstable; urgency=high + + * Team upload. + * Fixed security issues (Closes: #777196) + - CVE-2014-3612: JAAS LDAPLoginModule allows empty password authentication + - CVE-2014-3600: XML External Entity expansion when evaluating XPath + expressions + * Standards-Version updated to 3.9.6 (no changes) + + -- Emmanuel Bourg <[email protected]> Wed, 18 Feb 2015 20:04:38 +0100 + activemq (5.6.0+dfsg1-3) unstable; urgency=high * Team upload. diff -Nru activemq-5.6.0+dfsg1/debian/control activemq-5.6.0+dfsg1/debian/control --- activemq-5.6.0+dfsg1/debian/control 2014-09-29 09:26:05.000000000 +0200 +++ activemq-5.6.0+dfsg1/debian/control 2015-02-18 20:03:58.000000000 +0100 @@ -55,9 +55,9 @@ libxbean-java-doc, libxpp3-java, libxstream-java (>= 1.4) -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Vcs-Git: git://anonscm.debian.org/pkg-java/activemq.git -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/activemq.git +Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/activemq.git Homepage: http://activemq.apache.org Package: libactivemq-java diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch --- activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch 1970-01-01 01:00:00.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch 2015-02-18 19:42:35.000000000 +0100 @@ -0,0 +1,239 @@ +Description: Fix CVE-2014-3600: XML External Entity expansion when evaluating XPath expressions. + This patch can be removed after upgrading to ActiveMQ 5.10.1 or later. +Origin: backport, https://github.com/apache/activemq/commit/b9696ac +Bug: https://issues.apache.org/jira/browse/AMQ-5333 +--- a/activemq-optional/src/main/java/org/apache/activemq/filter/JAXPXPathEvaluator.java ++++ b/activemq-optional/src/main/java/org/apache/activemq/filter/JAXPXPathEvaluator.java +@@ -21,11 +21,13 @@ + import javax.jms.BytesMessage; + import javax.jms.JMSException; + import javax.jms.TextMessage; ++import javax.xml.parsers.DocumentBuilder; + import javax.xml.xpath.XPath; + import javax.xml.xpath.XPathConstants; + import javax.xml.xpath.XPathExpressionException; + import javax.xml.xpath.XPathFactory; + ++import org.w3c.dom.Document; + import org.xml.sax.InputSource; + + import org.apache.activemq.command.Message; +@@ -61,8 +63,9 @@ + private boolean evaluate(byte[] data) { + try { + InputSource inputSource = new InputSource(new ByteArrayInputStream(data)); +- return ((Boolean)expression.evaluate(inputSource, XPathConstants.BOOLEAN)).booleanValue(); +- } catch (XPathExpressionException e) { ++ Document inputDocument = builder.parse(inputSource); ++ return ((Boolean)xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue(); ++ } catch (Exception e) { + return false; + } + } +@@ -70,8 +73,9 @@ + private boolean evaluate(String text) { + try { + InputSource inputSource = new InputSource(new StringReader(text)); +- return ((Boolean)expression.evaluate(inputSource, XPathConstants.BOOLEAN)).booleanValue(); +- } catch (XPathExpressionException e) { ++ Document inputDocument = builder.parse(inputSource); ++ return ((Boolean)xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue(); ++ } catch (Exception e) { + return false; + } + } +--- a/activemq-core/src/main/java/org/apache/activemq/filter/XalanXPathEvaluator.java ++++ b/activemq-core/src/main/java/org/apache/activemq/filter/XalanXPathEvaluator.java +@@ -25,6 +25,8 @@ + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.xpath.XPath; ++import javax.xml.xpath.XPathConstants; ++import javax.xml.xpath.XPathFactory; + + import org.w3c.dom.Document; + import org.w3c.dom.traversal.NodeIterator; +@@ -35,13 +37,20 @@ + import org.apache.xpath.CachedXPathAPI; + import org.apache.xpath.objects.XObject; + +- + public class XalanXPathEvaluator implements XPathExpression.XPathEvaluator { + +- private final String xpath; +- +- public XalanXPathEvaluator(String xpath) { +- this.xpath = xpath; ++ private static final XPathFactory FACTORY = XPathFactory.newInstance(); ++ private final String xpathExpression; ++ private final DocumentBuilder builder; ++ private final XPath xpath = FACTORY.newXPath(); ++ ++ public XalanXPathEvaluator(String xpathExpression, DocumentBuilder builder) throws Exception { ++ this.xpathExpression = xpathExpression; ++ if (builder != null) { ++ this.builder = builder; ++ } else { ++ throw new RuntimeException("No document builder available"); ++ } + } + + public boolean evaluate(Message m) throws JMSException { +@@ -61,22 +70,9 @@ + try { + + InputSource inputSource = new InputSource(new ByteArrayInputStream(data)); +- +- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); +- factory.setNamespaceAware(true); +- DocumentBuilder dbuilder = factory.newDocumentBuilder(); +- Document doc = dbuilder.parse(inputSource); +- +- CachedXPathAPI cachedXPathAPI = new CachedXPathAPI(); +- XObject result = cachedXPathAPI.eval(doc, xpath); +- if (result.bool()) +- return true; +- else { +- NodeIterator iterator = cachedXPathAPI.selectNodeIterator(doc, xpath); +- return (iterator.nextNode() != null); +- } +- +- } catch (Throwable e) { ++ Document inputDocument = builder.parse(inputSource); ++ return ((Boolean) xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue(); ++ } catch (Exception e) { + return false; + } + } +@@ -84,28 +80,15 @@ + private boolean evaluate(String text) { + try { + InputSource inputSource = new InputSource(new StringReader(text)); +- +- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); +- factory.setNamespaceAware(true); +- DocumentBuilder dbuilder = factory.newDocumentBuilder(); +- Document doc = dbuilder.parse(inputSource); +- +- //An XPath expression could return a true or false value instead of a node. +- //eval() is a better way to determine the boolean value of the exp. +- //For compliance with legacy behavior where selecting an empty node returns true, +- //selectNodeIterator is attempted in case of a failure. +- +- CachedXPathAPI cachedXPathAPI = new CachedXPathAPI(); +- XObject result = cachedXPathAPI.eval(doc, xpath); +- if (result.bool()) +- return true; +- else { +- NodeIterator iterator = cachedXPathAPI.selectNodeIterator(doc, xpath); +- return (iterator.nextNode() != null); +- } +- +- } catch (Throwable e) { ++ Document inputDocument = builder.parse(inputSource); ++ return ((Boolean) xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue(); ++ } catch (Exception e) { + return false; + } + } ++ ++ @Override ++ public String toString() { ++ return xpathExpression; ++ } + } +--- a/activemq-core/src/main/java/org/apache/activemq/filter/XPathExpression.java ++++ b/activemq-core/src/main/java/org/apache/activemq/filter/XPathExpression.java +@@ -19,8 +19,15 @@ + import java.io.IOException; + import java.lang.reflect.Constructor; + import java.lang.reflect.InvocationTargetException; ++import java.util.ArrayList; ++import java.util.List; ++import java.util.Map; ++import java.util.Properties; + + import javax.jms.JMSException; ++import javax.xml.parsers.DocumentBuilder; ++import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + + import org.apache.activemq.command.Message; + import org.apache.activemq.util.JMSExceptionSupport; +@@ -35,8 +42,10 @@ + private static final Logger LOG = LoggerFactory.getLogger(XPathExpression.class); + private static final String EVALUATOR_SYSTEM_PROPERTY = "org.apache.activemq.XPathEvaluatorClassName"; + private static final String DEFAULT_EVALUATOR_CLASS_NAME = XalanXPathEvaluator.class.getName(); ++ public static final String DOCUMENT_BUILDER_FACTORY_FEATURE = "org.apache.activemq.documentBuilderFactory.feature"; + + private static final Constructor EVALUATOR_CONSTRUCTOR; ++ private static DocumentBuilder builder = null; + + static { + String cn = System.getProperty(EVALUATOR_SYSTEM_PROPERTY, DEFAULT_EVALUATOR_CLASS_NAME); +@@ -44,6 +53,21 @@ + try { + try { + m = getXPathEvaluatorConstructor(cn); ++ DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); ++ builderFactory.setNamespaceAware(true); ++ builderFactory.setIgnoringElementContentWhitespace(true); ++ builderFactory.setIgnoringComments(true); ++ try { ++ // set some reasonable defaults ++ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); ++ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); ++ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ } catch (ParserConfigurationException e) { ++ LOG.warn("Error setting document builder factory feature", e); ++ } ++ // setup the feature from the system property ++ setupFeatures(builderFactory); ++ builder = builderFactory.newDocumentBuilder(); + } catch (Throwable e) { + LOG.warn("Invalid " + XPathEvaluator.class.getName() + " implementation: " + cn + ", reason: " + e, e); + cn = DEFAULT_EVALUATOR_CLASS_NAME; +@@ -75,12 +99,41 @@ + if (!XPathEvaluator.class.isAssignableFrom(c)) { + throw new ClassCastException("" + c + " is not an instance of " + XPathEvaluator.class); + } +- return c.getConstructor(new Class[] {String.class}); ++ return c.getConstructor(new Class[] {String.class, DocumentBuilder.class}); ++ } ++ ++ protected static void setupFeatures(DocumentBuilderFactory factory) { ++ Properties properties = System.getProperties(); ++ List<String> features = new ArrayList<String>(); ++ for (Map.Entry<Object, Object> prop : properties.entrySet()) { ++ String key = (String) prop.getKey(); ++ if (key.startsWith(DOCUMENT_BUILDER_FACTORY_FEATURE)) { ++ String uri = key.split(DOCUMENT_BUILDER_FACTORY_FEATURE + ":")[1]; ++ Boolean value = Boolean.valueOf((String)prop.getValue()); ++ try { ++ factory.setFeature(uri, value); ++ features.add("feature " + uri + " value " + value); ++ } catch (ParserConfigurationException e) { ++ LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{uri, value, e}); ++ } ++ } ++ } ++ if (features.size() > 0) { ++ StringBuffer featureString = new StringBuffer(); ++ // just log the configured feature ++ for (String feature : features) { ++ if (featureString.length() != 0) { ++ featureString.append(", "); ++ } ++ featureString.append(feature); ++ } ++ } ++ + } + + private XPathEvaluator createEvaluator(String xpath2) { + try { +- return (XPathEvaluator)EVALUATOR_CONSTRUCTOR.newInstance(new Object[] {xpath}); ++ return (XPathEvaluator)EVALUATOR_CONSTRUCTOR.newInstance(new Object[] {xpath, builder}); + } catch (InvocationTargetException e) { + Throwable cause = e.getCause(); + if (cause instanceof RuntimeException) { diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch --- activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch 1970-01-01 01:00:00.000000000 +0100 +++ activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch 2015-02-18 19:42:28.000000000 +0100 @@ -0,0 +1,312 @@ +Description: Fix CVE-2014-3612: ActiveMQ JAAS: LDAPLoginModule allows empty password authentication. + This patch can be removed after upgrading to ActiveMQ 5.10.1 or later. +Origin: backport, https://github.com/apache/activemq/commit/0b5231ad +Bug: https://issues.apache.org/jira/browse/AMQ-5345 +--- a/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java ++++ b/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java +@@ -465,11 +465,15 @@ + try { + Hashtable<String, String> env = new Hashtable<String, String>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory); +- if (connectionUsername != null || !"".equals(connectionUsername)) { ++ if (connectionUsername != null && !"".equals(connectionUsername)) { + env.put(Context.SECURITY_PRINCIPAL, connectionUsername); ++ } else { ++ throw new NamingException("Empty username is not allowed"); + } +- if (connectionPassword != null || !"".equals(connectionPassword)) { ++ if (connectionPassword != null && !"".equals(connectionPassword)) { + env.put(Context.SECURITY_CREDENTIALS, connectionPassword); ++ } else { ++ throw new NamingException("Empty password is not allowed"); + } + env.put(Context.SECURITY_PROTOCOL, connectionProtocol); + env.put(Context.PROVIDER_URL, connectionURL); +--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java ++++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java +@@ -194,7 +194,7 @@ + try { + + String filter = userSearchMatchingFormat.format(new String[] { +- username ++ doRFC2254Encoding(username) + }); + SearchControls constraints = new SearchControls(); + if (userSearchSubtreeBool) { +@@ -291,7 +291,7 @@ + return list; + } + String filter = roleSearchMatchingFormat.format(new String[] { +- doRFC2254Encoding(dn), username ++ doRFC2254Encoding(dn), doRFC2254Encoding(username) + }); + + SearchControls constraints = new SearchControls(); +@@ -408,9 +408,14 @@ + env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY)); + if (isLoginPropertySet(CONNECTION_USERNAME)) { + env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME)); ++ } else { ++ throw new NamingException("Empty username is not allowed"); + } ++ + if (isLoginPropertySet(CONNECTION_PASSWORD)) { + env.put(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD)); ++ } else { ++ throw new NamingException("Empty password is not allowed"); + } + env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL)); + env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL)); +@@ -433,7 +438,7 @@ + + private boolean isLoginPropertySet(String propertyName) { + for (int i=0; i < config.length; i++ ) { +- if (config[i].getPropertyName() == propertyName && config[i].getPropertyValue() != null) ++ if (config[i].getPropertyName() == propertyName && (config[i].getPropertyValue() != null && !"".equals(config[i].getPropertyValue()))) + return true; + } + return false; +--- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java ++++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java +@@ -41,7 +41,9 @@ + import java.util.HashSet; + import java.util.Hashtable; + ++import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertTrue; ++import static org.junit.Assert.fail; + + @RunWith ( FrameworkRunner.class ) + @CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}) +@@ -121,4 +123,29 @@ + context.logout(); + } + ++ @Test ++ public void testUnauthenticated() throws LoginException { ++ LoginContext context = new LoginContext("UnAuthenticatedLDAPLogin", new CallbackHandler() { ++ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { ++ for (int i = 0; i < callbacks.length; i++) { ++ if (callbacks[i] instanceof NameCallback) { ++ ((NameCallback) callbacks[i]).setName("first"); ++ } else if (callbacks[i] instanceof PasswordCallback) { ++ ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray()); ++ } else { ++ throw new UnsupportedCallbackException(callbacks[i]); ++ } ++ } ++ } ++ }); ++ try { ++ context.login(); ++ } catch (LoginException le) { ++ assertEquals(le.getCause().getMessage(), "Empty password is not allowed"); ++ return; ++ } ++ fail("Should have failed authenticating"); ++ } ++ ++ + } +--- a/activemq-jaas/src/test/resources/login.config ++++ b/activemq-jaas/src/test/resources/login.config +@@ -40,6 +40,25 @@ + ; + }; + ++UnAuthenticatedLDAPLogin { ++ org.apache.activemq.jaas.LDAPLoginModule required ++ debug=true ++ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory ++ connectionURL="ldap://localhost:1024"; ++ connectionUsername="uid=admin,ou=system" ++ connectionPassword="" ++ connectionProtocol=s ++ authentication=simple ++ userBase="ou=system" ++ userSearchMatching="(uid={0})" ++ userSearchSubtree=false ++ roleBase="ou=system" ++ roleName=dummyRoleName ++ roleSearchMatching="(uid={1})" ++ roleSearchSubtree=false ++ ; ++}; ++ + GuestLogin { + org.apache.activemq.jaas.GuestLoginModule required + debug=true +--- /dev/null ++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/LDAPAuthenticationTest.java +@@ -0,0 +1,83 @@ ++/** ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.activemq.security; ++import static org.junit.Assert.assertNotNull; ++import static org.junit.Assert.fail; ++ ++import javax.jms.Connection; ++import javax.jms.Destination; ++import javax.jms.JMSException; ++import javax.jms.Message; ++import javax.jms.MessageConsumer; ++import javax.jms.MessageProducer; ++import javax.jms.Queue; ++import javax.jms.Session; ++ ++import org.apache.activemq.ActiveMQConnectionFactory; ++import org.apache.activemq.broker.BrokerFactory; ++import org.apache.activemq.broker.BrokerService; ++import org.apache.directory.server.annotations.CreateLdapServer; ++import org.apache.directory.server.annotations.CreateTransport; ++import org.apache.directory.server.core.annotations.ApplyLdifFiles; ++import org.apache.directory.server.core.integ.AbstractLdapTestUnit; ++import org.apache.directory.server.core.integ.FrameworkRunner; ++import org.apache.directory.server.ldap.LdapServer; ++import org.junit.After; ++import org.junit.Before; ++import org.junit.Test; ++import org.junit.runner.RunWith; ++ ++ ++@RunWith( FrameworkRunner.class ) ++@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}) ++@ApplyLdifFiles( ++ "org/apache/activemq/security/activemq.ldif" ++) ++public class LDAPAuthenticationTest extends AbstractLdapTestUnit { ++ ++ public BrokerService broker; ++ ++ public static LdapServer ldapServer; ++ ++ @Before ++ public void setup() throws Exception { ++ System.setProperty("ldapPort", String.valueOf(getLdapServer().getPort())); ++ ++ broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-ldap-auth.xml"); ++ broker.start(); ++ broker.waitUntilStarted(); ++ } ++ ++ @After ++ public void shutdown() throws Exception { ++ broker.stop(); ++ broker.waitUntilStopped(); ++ } ++ ++ @Test ++ public void testWildcard() throws Exception { ++ ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616"); ++ Connection conn = factory.createQueueConnection("*", "sunflower"); ++ try { ++ conn.createSession(false, Session.AUTO_ACKNOWLEDGE); ++ } catch (Exception e) { ++ e.printStackTrace(); ++ return; ++ } ++ fail("Should have failed connecting"); ++ } ++} +\ No newline at end of file +--- a/activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java ++++ b/activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java +@@ -38,7 +38,7 @@ + + + @RunWith( FrameworkRunner.class ) +-@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")}) ++@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}) + @ApplyLdifFiles( + "org/apache/activemq/security/activemq.ldif" + ) +--- a/activemq-core/src/test/resources/login.config ++++ b/activemq-core/src/test/resources/login.config +@@ -65,4 +65,23 @@ + debug=true + org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties" + org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties"; ++}; ++ ++LDAPLogin { ++ org.apache.activemq.jaas.LDAPLoginModule required ++ debug=true ++ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory ++ connectionURL="ldap://localhost:1024"; ++ connectionUsername="uid=admin,ou=system" ++ connectionPassword=secret ++ connectionProtocol=s ++ authentication=simple ++ userBase="ou=User,ou=ActiveMQ,ou=system" ++ userSearchMatching="(uid={0})" ++ userSearchSubtree=false ++ roleBase="ou=Group,ou=ActiveMQ,ou=system" ++ roleName=cn ++ roleSearchMatching="(uid={1})" ++ roleSearchSubtree=true ++ ; + }; +\ No newline at end of file +--- /dev/null ++++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-ldap-auth.xml +@@ -0,0 +1,46 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!-- ++ Licensed to the Apache Software Foundation (ASF) under one or more ++ contributor license agreements. See the NOTICE file distributed with ++ this work for additional information regarding copyright ownership. ++ The ASF licenses this file to You under the Apache License, Version 2.0 ++ (the "License"); you may not use this file except in compliance with ++ the License. You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++ Unless required by applicable law or agreed to in writing, software ++ distributed under the License is distributed on an "AS IS" BASIS, ++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ See the License for the specific language governing permissions and ++ limitations under the License. ++--> ++<!-- START SNIPPET: xbean --> ++<beans ++ xmlns="http://www.springframework.org/schema/beans"; ++ xmlns:amq="http://activemq.apache.org/schema/core"; ++ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; ++ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd ++ http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd";> ++ ++ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> ++ ++ <broker useJmx="false" xmlns="http://activemq.apache.org/schema/core"; persistent="false"> ++ ++ <destinations> ++ <queue physicalName="ADMIN.FOO" /> ++ </destinations> ++ ++ <plugins> ++ <jaasAuthenticationPlugin configuration="LDAPLogin"/> ++ </plugins> ++ ++ ++ <transportConnectors> ++ <transportConnector uri="tcp://localhost:61616"/> ++ </transportConnectors> ++ ++ </broker> ++ ++</beans> ++<!-- END SNIPPET: xbean --> diff -Nru activemq-5.6.0+dfsg1/debian/patches/series activemq-5.6.0+dfsg1/debian/patches/series --- activemq-5.6.0+dfsg1/debian/patches/series 2014-09-29 09:26:05.000000000 +0200 +++ activemq-5.6.0+dfsg1/debian/patches/series 2015-02-18 19:06:29.000000000 +0100 @@ -7,3 +7,5 @@ activemq-admin.patch exclude_mqtt.diff exclude_leveldb.diff +CVE-2014-3600.patch +CVE-2014-3612.patch -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
