Debian Bug report logs -
#908950
activemq: CVE-2018-11775: ActiveMQ Client: Missing TLS Hostname Verification
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 16 Sep 2018 14:36:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version activemq/5.14.3-3
Fixed in version activemq/5.15.6-1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#908950; Package src:activemq.
(Sun, 16 Sep 2018 14:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 16 Sep 2018 14:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: activemq
Version: 5.14.3-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for activemq.
CVE-2018-11775[0]:
| TLS hostname verification when using the Apache ActiveMQ Client before
| 5.15.6 was missing which could make the client vulnerable to a MITM
| attack between a Java application using the ActiveMQ client and the
| ActiveMQ server. This is now enabled by default.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
[1] http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 16 Sep 2018 14:57:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Tue, 18 Sep 2018 19:51:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 18 Sep 2018 19:51:10 GMT) (full text, mbox, link).
Message #12 received at 908950-close@bugs.debian.org (full text, mbox, reply):
Source: activemq
Source-Version: 5.15.6-1
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908950@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Sep 2018 20:56:32 +0200
Source: activemq
Binary: libactivemq-java activemq
Architecture: source
Version: 5.15.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
activemq - Java message broker - server
libactivemq-java - Java message broker core libraries
Closes: 907688 908950
Changes:
activemq (5.15.6-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 5.15.6.
- Fix CVE-2018-11775: ActiveMQ Client: Missing TLS Hostname Verification.
Thanks to Salvatore Bonaccorso for the report. (Closes: #908950)
* Declare compliance with Debian Policy 4.2.1.
* Add a new patch and fix the current FTBFS because debian/maven.rules does
not work as expected with maven plugins. (Closes: #907688)
Checksums-Sha1:
edc898631d75c869db7b632337145ff463f6901a 3552 activemq_5.15.6-1.dsc
b54a13c96a880f38d2f017a8c11635c446b6dfd8 2665256 activemq_5.15.6.orig.tar.xz
24f0ffc9a94d336a5e3061e1cda3c861d1f0af91 16216 activemq_5.15.6-1.debian.tar.xz
4a191a8229cddf77765a03d05e7e724304580d68 17879 activemq_5.15.6-1_amd64.buildinfo
Checksums-Sha256:
cba33c810a38897a620108e2a2e0126724e8a194057cfead613864fed6f902d0 3552 activemq_5.15.6-1.dsc
a2e09e93c84056a21a3406d480898fc6902341c8913c799b073340e69a89c96e 2665256 activemq_5.15.6.orig.tar.xz
b6b4e5f6c367522f0ba349d1bd76e75c38b1d01f30655a1d5cc881e8eb75ae9b 16216 activemq_5.15.6-1.debian.tar.xz
8e86ee0b450cf8319dfb10cf674a8e45c27ca398c8c868824049efd93e5ea810 17879 activemq_5.15.6-1_amd64.buildinfo
Files:
a907557cf9c13afec1ed08a183c73536 3552 java optional activemq_5.15.6-1.dsc
ef5a41a9e4db217ee18f05e5851f84d7 2665256 java optional activemq_5.15.6.orig.tar.xz
3a05d27a46e5d8efc234be4222ef4b02 16216 java optional activemq_5.15.6-1.debian.tar.xz
5bef7fc4e98af8feb2fa2478b3a80cf1 17879 java optional activemq_5.15.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAluhUH1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HktGIQAJepq9ikHhVvwmYZT8RP5obkOS8AtlmgOz/q
4lS14GGob71UBvF4saEqGYfU0pPbWuVsrMX/mheT1ib0IgxMlRNTgqNikQPafIyP
JP6qHk0kKf0/MntWkNywc1B/RiQFILZS2auSBsSfz9P+VYpx3xVKOqyo2wmDvrqY
DRPk2KuTCQbe9GNj47DkodD4INQujjzDBl3eNxOfEL3grvInqLG9SR5GYpvvd3GS
QTUcxD9qp7JLnnO6Tjiz5ew8CfNmvG0zxyFUU0vkuN3lqAFaJD8ddi2k6fSRXQN6
xKhp44KjBA53BcHzsAfhYsWgyoNJ25iboiW3/+e1RZvhuHT2UoeF3xeDIDCdeQUp
x7w0RBLuxHDNSBmST2u1UIhAlq9W0LYhNrlaUQ8ealWchfeQe84HvAK6J29qaB6p
D5RiNzoMJ6DReaS181B0D1dQv/b5X9KO0fLoSsWdrOZZoWR8n+4lJUKN/CH9wzTP
SFb3CdJaPXRnOEkmOspSb1fIYsRzKUyPFRtU4fJk8Th0qJImgxtlV7tHON0I+RyC
qwbWQwox0Puu1sPsdeBtqkg8dRvDD6u+YyblT9pN25yx8Qi/Jf+BpchXJzjVRgh4
BN8Q8u5vLceMYFigSRrkSY4s6wlZIL/WzTI2+cJyR0MnVkkfl5Q8CxP3yyECWSCF
TyT+TlSI
=ZliI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Oct 2018 07:27:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:05:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon