Hi Roberto, Which version of activemq are you using in the debian package?
regards, François [email protected] Le 31/03/2021 à 21:21, Roberto C. Sánchez a écrit : > Hi Brian, > > Thanks for your help. I am working to backport dc194fc977ab to address > CVE-2020-13933 and after that I will move on to the fixes for > CVE-2020-17510 and CVE-2020-17523. > > As far as the maintainability of a 1.3.x package, upgrading to a newer > version is not an option for two reasons. First, I am working on > addressing these vulnerabilities in Debian Stretch, which is in the LTS > stage of its lifecycle, making an update to a new upstream release very > unlikely. Second, the shiro package in Debian was last updated about 2 > years ago and even in Debian unstable 1.3.x is the highest available > version. Any update to a new upstream version would need to start in > the unstable distribution. > > As an additional complication, the activemq package in Debian depends on > the shiro package, so a shiro update would need to be coordinated in a > that ensures it doesn't break activemq. > > That said, I will bring the issue up to see if I can get an update > started so that at the least the next Debian stable release has > something more recent. > > Regards, > > -Roberto > > On Tue, Mar 16, 2021 at 05:50:50PM -0400, Brian Demers wrote: >> Hey Roberto, >> >> Sorry about the delay on this one, I originally thought we had answered >> your question. >> >> The commit you are looking for is >> https://github.com/apache/shiro/commit/dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d >> >> If you are maintaining a 1.3.x package this is going to become more >> difficult, is it possible to deprecate it and move to a recent version? >> >> >> >> On Sat, Jan 30, 2021 at 4:45 PM Roberto C. Sánchez <[email protected]> >> wrote: >> >>> Bump. >>> >>> On Tue, Dec 22, 2020 at 09:30:47AM -0500, Roberto C. Sánchez wrote: >>>> On Mon, Dec 21, 2020 at 09:33:44PM +0100, Benjamin Marwell wrote: >>>>> Hi Roberto, >>>>> >>>>> after talking to the PMC chair, I can give you three commit links. >>>>> >>>>> >>> https://github.com/apache/shiro/commit/042c59356cc6442345a9f935aed3e7603cb4dfad >>> https://github.com/apache/shiro/commit/5b1add9a4c4ed046b52cf2132ed0f264a22caf1d >>> https://github.com/apache/shiro/commit/1b9d8d99cd6d50d7114916508a13677a0fe6f345 >>>>> I guess it is quite obvious what is inside these commits. >>>>> >>>> Hi Ben, >>>> >>>> This commits seem to have been made after the 1.6.0 release and before >>>> the 1.7.0 release. My belief is that they address CVE-2020-17510. Can >>>> you tell me if dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is the commit >>>> that addresses CVE-2020-13933? Are there other commits that go along >>>> with it to completely remedy CVE-2020-13933? >>>> >>>> Regards, >>>> >>>> -Roberto >>>> >>>> -- >>>> Roberto C. Sánchez >>> -- >>> Roberto C. Sánchez >>>
