activemq: CVE-2015-5254: unsafe deserialization

Debian Bug report logs - #809733
activemq: CVE-2015-5254: unsafe deserialization

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: activemq: CVE-2015-5254: unsafe deserialization

Date: Sun, 03 Jan 2016 15:33:11 +0100

Source: activemq
Version: 5.6.0+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for activemq. I'm not very
familiar with activemq itself, so I'm reporting this with initial
severity grave, but let me know if you disagree.

CVE-2015-5254[0]:
Unsafe deserialization

Upstream advisory is at [1]:
| Description:
|
| JMS Object messages depends on Java Serialization for marshaling/unmashaling
| of the message payload. There are a couple of places inside the broker where
| deserialization can occur, like web console or stomp object message
| transformation. As deserialization of untrusted data can leaed to security
| flaws as demonstrated in various reports, this leaves the broker vunerable to
| this attack vector. Additionally, applications that consume ObjectMessage type
| of messages can be vunerable as they deserlize objects on
| ObjectMessage.getObject() calls.
|
| Mitigation:
|
| Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage
| message type, you need to explicitly list trusted packages. To see how to do
| that, please take a look at: http://activemq.apache.org/objectmessage.html

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5254
[1] http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt

Regards,
Salvatore

Message #12 received at 809733@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 808636@bugs.debian.org, 809733@bugs.debian.org

Subject: Re: activemq: FTBFS: package org.apache.kahadb.index does not exist

Date: Wed, 9 Mar 2016 18:06:09 +0100

[Message part 1 (text/plain, inline)]

Control: owner -1 !

On Mon, 21 Dec 2015 16:11:39 +0000 "Chris West (Faux)"
<solo-debianbugs@goeswhere.com> wrote:
> Source: activemq
> Version: 5.6.0+dfsg1-5
> Severity: serious
> Justification: fails to build from source
> Tags: sid stretch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: ftbfs
> X-Debbugs-CC: reproducible-builds@lists.alioth.debian.org
> 
> Dear Maintainer,
> 
> The package fails to build:

[...]

I intend to package the latest upstream release of activemq. That would
also resolve #809733 and #800977. It seems the latest release is 5.13.2
and can be downloaded from

https://archive.apache.org/dist/activemq/5.13.2/

Debian's watch file points to

https://svn.apache.org/repos/asf/activemq/tags/

but they apparently stopped tagging new releases some time ago.

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 809733@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Markus Koschany <apo@debian.org>, 809733@bugs.debian.org, 808636@bugs.debian.org

Subject: Re: Bug#809733: activemq: FTBFS: package org.apache.kahadb.index does not exist

Date: Wed, 09 Mar 2016 21:22:45 +0100

[Message part 1 (text/plain, inline)]

Le 09/03/2016 18:06, Markus Koschany a écrit :

> but they apparently stopped tagging new releases some time ago.

I think they migrated the source repository from Subversion to Git, the
GitHub mirror has the latest release tags:

https://github.com/apache/activemq/releases

[signature.asc (application/pgp-signature, attachment)]

Message #24 received at 809733@bugs.debian.org (full text, mbox, reply):

From: Stephen Nelson <stephen@eccostudio.com>

To: 808636@bugs.debian.org, 809733@bugs.debian.org

Subject: Re: Bug#808636: activemq: FTBFS: package org.apache.kahadb.index does not exist

Date: Wed, 09 Mar 2016 20:30:15 +0000

[Message part 1 (text/plain, inline)]

On Wed, 9 Mar 2016, 17:09 Markus Koschany, <apo@debian.org> wrote:

>
> Debian's watch file points to
>
> https://svn.apache.org/repos/asf/activemq/tags/
>
> but they apparently stopped tagging new releases some time ago.
>
>
> Hi Markus

I think they switched to git:

https://git-wip-us.apache.org/repos/asf?p=activemq.git

The releases are tagged there.

Thanks

Stephen

[Message part 2 (text/html, inline)]

Message #29 received at 809733@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 808636@bugs.debian.org, 809733@bugs.debian.org

Subject: Re: Bug#809733: activemq: FTBFS: package org.apache.kahadb.index does not exist

Date: Wed, 9 Mar 2016 22:35:25 +0100

[Message part 1 (text/plain, inline)]

Am 09.03.2016 um 21:22 schrieb Emmanuel Bourg:
> Le 09/03/2016 18:06, Markus Koschany a écrit :
> 
>> but they apparently stopped tagging new releases some time ago.
> 
> I think they migrated the source repository from Subversion to Git, the
> GitHub mirror has the latest release tags:
> 
> https://github.com/apache/activemq/releases

Thanks. That makes a lot of sense. I think I'll use the github releases
then.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 809733-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 809733-close@bugs.debian.org

Subject: Bug#809733: fixed in activemq 5.13.2+dfsg-1

Date: Sun, 13 Mar 2016 22:51:18 +0000

Source: activemq
Source-Version: 5.13.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 809733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated activemq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Mar 2016 22:53:35 +0100
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.13.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 activemq   - Java message broker - server
 libactivemq-java - Java message broker core libraries
 libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 770455 808636 809733
Changes:
 activemq (5.13.2+dfsg-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fixes FTBFS. (Closes: #808636)
     - Fixes CVE-2015-5254: unsafe deserialization and all other security
       vulnerabilities. (Closes: #809733)
   * Switch from cdbs to dh sequencer.
   * Use Files-Excluded mechanism and drop orig-tar.sh
   * Vcs-fields: Use https.
   * Use java7-runtime-headless as alternative dependency for activemq.
   * Declare compliance with Debian Policy 3.9.7.
   * Remove debian/maven.cleanIgnoreRules.
   * debian/patches:
     - Drop all CVE-* patches. Fixed upstream.
     - Drop activemq-admin.patch because this file does not exist anymore.
     - Drop disable_some_modules.diff and disable modules with
       libactivemq-java.poms instead.
     - Drop exclude-* patches.
     - Rebase init_debian_default_values.diff.
     - Drop javadoc_links.diff because the activemq-core module does not exist
       anymore.
     - Add disable-broker-test-dependency.patch and disable test dependencies
       which would cause a FTBFS.
     - Add exclude-geronimo-jca.patch and remove code that depends on geronimo
       jca.
     - Add exclude-jmdns.patch and remove code that depends on jmdns.
   * wrap-and-sort -sa.
   * Add libderby-java to Build-Depends.
   * activemq-options: Use OpenJDK 8 as the default Java implementation.
   * Update debian/watch and point to the new repository at github.
   * activemq.postrm: Do not delete system users and groups on purge.
   * activemq.postrm: Remove /etc/activemq on purge. (Closes: #770455)
Checksums-Sha1:
 ca367ca124726d4bdd748613a0563b41fba35f0f 3535 activemq_5.13.2+dfsg-1.dsc
 50857b09ea6575bc4c985ed0d54364c291168734 2506148 activemq_5.13.2+dfsg.orig.tar.xz
 8ea31391ae5835e0da3c68d2b5d396ced8d6e7b8 15084 activemq_5.13.2+dfsg-1.debian.tar.xz
 39c6574b2d1331b2ecea78a205292f6922a03bb1 157966 activemq_5.13.2+dfsg-1_all.deb
 77ffa7f0bdf8579856b9bde7df4a962ca2756b55 3535304 libactivemq-java-doc_5.13.2+dfsg-1_all.deb
 aa6cc58fb6fef7656ecfebe185cb87c988c93fcd 3268386 libactivemq-java_5.13.2+dfsg-1_all.deb
Checksums-Sha256:
 5dbb168302ab954c543cf1db0165dea4a665661c89096c485d2f01456bead7ba 3535 activemq_5.13.2+dfsg-1.dsc
 178ad0bb2138dc064b646f981f88c0baab15f624fce321f84483297d0ff7cc98 2506148 activemq_5.13.2+dfsg.orig.tar.xz
 4bea1743ec3e55651a335dff3e51949e22b24da74e8ea3bb2c81ce2aa2185702 15084 activemq_5.13.2+dfsg-1.debian.tar.xz
 bedfae94563748e9f011150db81ed5fb58934cb9012485d56ab2338bb16b0f74 157966 activemq_5.13.2+dfsg-1_all.deb
 1349c3b3f58671106640374362ad2fa2bef124d57a68c98298589d6326753c0e 3535304 libactivemq-java-doc_5.13.2+dfsg-1_all.deb
 bad97556355d17f878eec00eb93f081215a5e00d33c03f67b6e0f002b3e3b7e3 3268386 libactivemq-java_5.13.2+dfsg-1_all.deb
Files:
 51e2ace83aadfb367cc5c67970578806 3535 java optional activemq_5.13.2+dfsg-1.dsc
 a51bacca344e9e500a5286d70a58c74c 2506148 java optional activemq_5.13.2+dfsg.orig.tar.xz
 1db76273f3840982a8db6d7a95f16ceb 15084 java optional activemq_5.13.2+dfsg-1.debian.tar.xz
 a617984a88fe4eaf2360fc9c3c35392f 157966 java optional activemq_5.13.2+dfsg-1_all.deb
 7aa54643888682805c881e4a7ea7ed36 3535304 doc optional libactivemq-java-doc_5.13.2+dfsg-1_all.deb
 d5a6bb7badca0e28cbeddf33c6a399a4 3268386 java optional libactivemq-java_5.13.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJW5ecKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk5WoQALV97IbLDjVL8GkCl5RfryeX
DdVZiOJbZVpxYLD880J/472JKBuTA0aSKGbbjY+rtvbAMTQSHgND6K7MaY1JRPme
Ya/8GRkMRfTdJVREI4oNWayRtxn/O1nmqvvU6zBlFrpYTMc6jkoOHtMd/xqVcSG5
oW34bCE0WvZhlubeFP5DUluaHUFiwd7pWDCP9cXt5gSukhLh42MKorbXuorcsv9x
fANjnZakOMN8fMUfYl8RZz9cF3D1pDBdDSt7eomuM93VSZcIbogVqIXt2ElEUSYM
FmNdBq97oBGHkT1p0JhBr4uvI74SxpyIFUdb5TRd3nHQazq4nmxyVuXq+cmwUuS6
NiQco91gTYaWH4k/jWrxZ/2S39RkedX9x9HmwVgLXEwgWm1btFS/DEzZXu65r3rR
kVpDykHqS3+By/iznfp7/4A9Yme5PPaA32yD3iVsBPjkpitNh/PDx4qXrFzEPHk2
FjKEAAnG8jCPVHjmpKEjYT61B8R2D8nAxAngOW8bZ7PD3HyxroPB9fvg8bT3tMrs
ETFaFlwW1lszkFYw8GQdgjZ1NO9Z6w1ZD2NOjqLVVqeomTYbu5dRLASE0b/TzZ3m
e/v+rWk6gaflmAoTSluvWLaLZlhN0OFvYl2aBtQDCl1xG7hsY24imnbduATPQsL7
Oj2QyMdPKZ7z1UBAsJdB
=b+yJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.