Tags: security upstream fixed-upstream
the following vulnerability was published for activemq. I'm not very
familiar with activemq itself, so I'm reporting this with initial
severity grave, but let me know if you disagree.
Upstream advisory is at :
| JMS Object messages depends on Java Serialization for marshaling/unmashaling
| of the message payload. There are a couple of places inside the broker where
| deserialization can occur, like web console or stomp object message
| transformation. As deserialization of untrusted data can leaed to security
| flaws as demonstrated in various reports, this leaves the broker vunerable to
| this attack vector. Additionally, applications that consume ObjectMessage type
| of messages can be vunerable as they deserlize objects on
| ObjectMessage.getObject() calls.
| Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage
| message type, you need to explicitly list trusted packages. To see how to do
| that, please take a look at: http://activemq.apache.org/objectmessage.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.