Your message dated Sun, 13 Mar 2016 22:51:18 +0000 with message-id <e1afer0-000295...@franck.debian.org> and subject line Bug#809733: fixed in activemq 5.13.2+dfsg-1 has caused the Debian Bug report #809733, regarding activemq: CVE-2015-5254: unsafe deserialization to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 809733: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809733 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: activemq Version: 5.6.0+dfsg-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for activemq. I'm not very familiar with activemq itself, so I'm reporting this with initial severity grave, but let me know if you disagree. CVE-2015-5254[0]: Unsafe deserialization Upstream advisory is at [1]: | Description: | | JMS Object messages depends on Java Serialization for marshaling/unmashaling | of the message payload. There are a couple of places inside the broker where | deserialization can occur, like web console or stomp object message | transformation. As deserialization of untrusted data can leaed to security | flaws as demonstrated in various reports, this leaves the broker vunerable to | this attack vector. Additionally, applications that consume ObjectMessage type | of messages can be vunerable as they deserlize objects on | ObjectMessage.getObject() calls. | | Mitigation: | | Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage | message type, you need to explicitly list trusted packages. To see how to do | that, please take a look at: http://activemq.apache.org/objectmessage.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-5254 [1] http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: activemq Source-Version: 5.13.2+dfsg-1 We believe that the bug you reported is fixed in the latest version of activemq, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 809...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated activemq package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 13 Mar 2016 22:53:35 +0100 Source: activemq Binary: libactivemq-java libactivemq-java-doc activemq Architecture: source all Version: 5.13.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: activemq - Java message broker - server libactivemq-java - Java message broker core libraries libactivemq-java-doc - Java message broker core libraries - documentation Closes: 770455 808636 809733 Changes: activemq (5.13.2+dfsg-1) unstable; urgency=medium . * Team upload. * New upstream release. - Fixes FTBFS. (Closes: #808636) - Fixes CVE-2015-5254: unsafe deserialization and all other security vulnerabilities. (Closes: #809733) * Switch from cdbs to dh sequencer. * Use Files-Excluded mechanism and drop orig-tar.sh * Vcs-fields: Use https. * Use java7-runtime-headless as alternative dependency for activemq. * Declare compliance with Debian Policy 3.9.7. * Remove debian/maven.cleanIgnoreRules. * debian/patches: - Drop all CVE-* patches. Fixed upstream. - Drop activemq-admin.patch because this file does not exist anymore. - Drop disable_some_modules.diff and disable modules with libactivemq-java.poms instead. - Drop exclude-* patches. - Rebase init_debian_default_values.diff. - Drop javadoc_links.diff because the activemq-core module does not exist anymore. - Add disable-broker-test-dependency.patch and disable test dependencies which would cause a FTBFS. - Add exclude-geronimo-jca.patch and remove code that depends on geronimo jca. - Add exclude-jmdns.patch and remove code that depends on jmdns. * wrap-and-sort -sa. * Add libderby-java to Build-Depends. * activemq-options: Use OpenJDK 8 as the default Java implementation. * Update debian/watch and point to the new repository at github. * activemq.postrm: Do not delete system users and groups on purge. * activemq.postrm: Remove /etc/activemq on purge. (Closes: #770455) Checksums-Sha1: ca367ca124726d4bdd748613a0563b41fba35f0f 3535 activemq_5.13.2+dfsg-1.dsc 50857b09ea6575bc4c985ed0d54364c291168734 2506148 activemq_5.13.2+dfsg.orig.tar.xz 8ea31391ae5835e0da3c68d2b5d396ced8d6e7b8 15084 activemq_5.13.2+dfsg-1.debian.tar.xz 39c6574b2d1331b2ecea78a205292f6922a03bb1 157966 activemq_5.13.2+dfsg-1_all.deb 77ffa7f0bdf8579856b9bde7df4a962ca2756b55 3535304 libactivemq-java-doc_5.13.2+dfsg-1_all.deb aa6cc58fb6fef7656ecfebe185cb87c988c93fcd 3268386 libactivemq-java_5.13.2+dfsg-1_all.deb Checksums-Sha256: 5dbb168302ab954c543cf1db0165dea4a665661c89096c485d2f01456bead7ba 3535 activemq_5.13.2+dfsg-1.dsc 178ad0bb2138dc064b646f981f88c0baab15f624fce321f84483297d0ff7cc98 2506148 activemq_5.13.2+dfsg.orig.tar.xz 4bea1743ec3e55651a335dff3e51949e22b24da74e8ea3bb2c81ce2aa2185702 15084 activemq_5.13.2+dfsg-1.debian.tar.xz bedfae94563748e9f011150db81ed5fb58934cb9012485d56ab2338bb16b0f74 157966 activemq_5.13.2+dfsg-1_all.deb 1349c3b3f58671106640374362ad2fa2bef124d57a68c98298589d6326753c0e 3535304 libactivemq-java-doc_5.13.2+dfsg-1_all.deb bad97556355d17f878eec00eb93f081215a5e00d33c03f67b6e0f002b3e3b7e3 3268386 libactivemq-java_5.13.2+dfsg-1_all.deb Files: 51e2ace83aadfb367cc5c67970578806 3535 java optional activemq_5.13.2+dfsg-1.dsc a51bacca344e9e500a5286d70a58c74c 2506148 java optional activemq_5.13.2+dfsg.orig.tar.xz 1db76273f3840982a8db6d7a95f16ceb 15084 java optional activemq_5.13.2+dfsg-1.debian.tar.xz a617984a88fe4eaf2360fc9c3c35392f 157966 java optional activemq_5.13.2+dfsg-1_all.deb 7aa54643888682805c881e4a7ea7ed36 3535304 doc optional libactivemq-java-doc_5.13.2+dfsg-1_all.deb d5a6bb7badca0e28cbeddf33c6a399a4 3268386 java optional libactivemq-java_5.13.2+dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJW5ecKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk5WoQALV97IbLDjVL8GkCl5RfryeX DdVZiOJbZVpxYLD880J/472JKBuTA0aSKGbbjY+rtvbAMTQSHgND6K7MaY1JRPme Ya/8GRkMRfTdJVREI4oNWayRtxn/O1nmqvvU6zBlFrpYTMc6jkoOHtMd/xqVcSG5 oW34bCE0WvZhlubeFP5DUluaHUFiwd7pWDCP9cXt5gSukhLh22MKorbXuorcsv9x fANjnZakOMN8fMUfYl8RZz9cF3D1pDBdDSt7eomuM93VSZcIbogVqIXt2ElEUSYM FmNdBq97oBGHkT1p0JhBr4uvI74SxpyIFUdb5TRd3nHQazq4nmxyVuXq+cmwUuS6 NiQco91gTYaWH4k/jWrxZ/2S39RkedX9x9HmwVgLXEwgWm1btFS/DEzZXu65r3rR kVpDykHqS3+By/iznfp7/4A9Yme5PPaA32yD3iVsBPjkpitNh/PDx4qXrFzEPHk2 FjKEAAnG8jCPVHjmpKEjYT61B8R2D8nAxAngOW8bZ7PD3HyxroPB9fvg8bT3tMrs ETFaFlwW1lszkFYw8GQdgjZ1NO9Z6w1ZD2NOjqLVVqeomTYbu5dRLASE0b/TzZ3m e/v+rWk6gaflmAoTSluvWLaLZlhN0OFvYl2aBtQDCl1xG7hsY24imnbduATPQsL7 Oj2QyMdPKZ7z1UBAsJdB =b+yJ -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
