Debian Bug report logs -
#860866
activemq: CVE-2015-7559: DoS in client via shutdown command
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860866; Package src:activemq.
(Fri, 21 Apr 2017 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 06:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: activemq
Version: 5.6.0+dfsg1-4
Severity: important
Tags: upstream patch security
Forwarded: https://issues.apache.org/jira/browse/AMQ-6470
Hi,
the following vulnerability was published for activemq.
CVE-2015-7559[0]:
DoS in client via shutdown command
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-7559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7559
[1] https://issues.apache.org/jira/browse/AMQ-6470
[2] https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e
I'm not too familiar with activemq, but from code inspection only the
class (although on different path in the source) is present back as
well in the version in jessie.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860866; Package src:activemq.
(Fri, 21 Apr 2017 14:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 14:30:03 GMT) (full text, mbox, link).
Message #10 received at 860866@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: severity -1 serious
Let's fix that in Stretch too.
Markus
[signature.asc (application/pgp-signature, attachment)]
Severity set to 'serious' from 'important'
Request was from Markus Koschany <apo@debian.org>
to 860866-submit@bugs.debian.org.
(Fri, 21 Apr 2017 14:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860866; Package src:activemq.
(Fri, 21 Apr 2017 15:27:08 GMT) (full text, mbox, link).
Message #15 received at 860866@bugs.debian.org (full text, mbox, reply):
tag 860866 + pending
thanks
Some bugs in the activemq package are closed in revision
f25d1922b1221f9ad8bf44825827cb12e4c19084 in branch 'master' by Markus
Koschany
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/activemq.git/commit/?id=f25d192
Commit message:
Fix CVE-2017-7559
Closes: #860866
Thanks: Salvatore Bonaccorso for the report.
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Fri, 21 Apr 2017 15:27:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#860866.
(Fri, 21 Apr 2017 15:27:12 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 21 Apr 2017 15:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 21 Apr 2017 15:51:03 GMT) (full text, mbox, link).
Message #25 received at 860866-close@bugs.debian.org (full text, mbox, reply):
Source: activemq
Source-Version: 5.14.3-3
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860866@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Apr 2017 16:24:41 +0200
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source
Version: 5.14.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
activemq - Java message broker - server
libactivemq-java - Java message broker core libraries
libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 860866
Changes:
activemq (5.14.3-3) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2017-7559.
DoS in client via shutdown command.
Thanks to Salvatore Bonaccorso for the report. (Closes: #860866)
Checksums-Sha1:
2d550284bf5ec01dc797ce479a7ea79370470667 3646 activemq_5.14.3-3.dsc
9f819702a3bc4f8f808f9fbe633fd3657eb2af44 15736 activemq_5.14.3-3.debian.tar.xz
bd9eb3629c8c60850e9d812058c4839dccb1f7c9 17006 activemq_5.14.3-3_amd64.buildinfo
Checksums-Sha256:
c1e6390c2a5d2ae0a4ac348e9677ec356628aed7dc44b8eaa199312e5b910c12 3646 activemq_5.14.3-3.dsc
631f44d78e70a0b5aabc5f38ae0c8cde785918f44e62b8d8810ebc0d2e1533fb 15736 activemq_5.14.3-3.debian.tar.xz
35aabe3d2af941fa321a6dfa272800d72c2285ead2aa764bc98fd8c074e7cbac 17006 activemq_5.14.3-3_amd64.buildinfo
Files:
95ff553fa1e6b9cd7e5ac6c726b3ef31 3646 java optional activemq_5.14.3-3.dsc
748746967306850ed23ad76d9cde3f49 15736 java optional activemq_5.14.3-3.debian.tar.xz
994ef2581dd6d81f721af648b9ede305 17006 java optional activemq_5.14.3-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlj6I6pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkk6YP/1byh/G+XWDvkncQmxcR5CWFwYYh5yH+UWap
WI8Lf9TrgSD3wHXql/nRkWwMcgHcfIrYHL+GW8633w+Pk+x1E0qaD3AncKluGRxe
W3wEVH7E5HcACIJ4V4SRMPtyAjHJwDkDLdR1lAR2RBYfq1CP9/kxcymrFVL8CUDa
p/oz3kOLx8BuKjbp6e8ZsX8WJttp1XHfu5z1tNIFmkiYP4jqM2ntAwrR+nBoTmqX
CH1XeqXLWvVISwKM2Z4rklh40EGbe/aX0qUeyWjm380nrgXHn7sQF4FLk6QuVIxG
+yHQKZ5X0LbzbagaoV6jzYkGuydUQ6Mk9VQgTZAOopDuP9ROUWL3N4u+cUKWVz8Y
aF6qE9GxKc/wOxHfYS5QxE1CGn6GLn2OteURuBxvVoUMbG22sgaqwaQ3h4sgjdLq
+Ll8UyJlsjEvPn0NqhK4xuSsC5vsquwpKlUF8uqRqP83aHdoa7VBW9zJo3A73qlk
FaAfVi3s8OviHdTS9cbNc2RehKh0cCl9rHZUdvtrm08n2RPw31etWEjXUBtu49EB
UsX1PkCvKQoRfKhfATPhwYGem8/TyaSFfgUH9OTI2danOaG8z8S422m1UaKM4W6n
qdnI5Y0/6XHUfTSHwqEO4w8PUQ08kHYwjDmizJAxiqBL4Np8jS0vJEQpk2sCHc62
bx4so1Up
=9p9J
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 21:36:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 21:36:22 GMT) (full text, mbox, link).
Message #30 received at 860866-close@bugs.debian.org (full text, mbox, reply):
Source: activemq
Source-Version: 5.6.0+dfsg1-4+deb8u3
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860866@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Apr 2017 21:01:20 +0200
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.6.0+dfsg1-4+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
activemq - Java message broker - server
libactivemq-java - Java message broker core libraries
libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 860866
Changes:
activemq (5.6.0+dfsg1-4+deb8u3) jessie; urgency=medium
.
* Team upload.
* Fix CVE-2015-7559:
DoS in activemq-core via shutdown command. (Closes: #860866)
Checksums-Sha1:
e602f59f41fd0e3d6601a4470a8f9f54a50c84de 3543 activemq_5.6.0+dfsg1-4+deb8u3.dsc
b9965cf7e7d5066afceb7b7f1327a040710b60d3 22832 activemq_5.6.0+dfsg1-4+deb8u3.debian.tar.xz
a38c53ef9a62f38e206420cba32a26f69a909b38 3588612 libactivemq-java_5.6.0+dfsg1-4+deb8u3_all.deb
56f1656250033b1079cd3dac8af7b015269034f5 3500384 libactivemq-java-doc_5.6.0+dfsg1-4+deb8u3_all.deb
f36e6e2472e1d1c278ae922cda07d85e45b8bb63 49530 activemq_5.6.0+dfsg1-4+deb8u3_all.deb
Checksums-Sha256:
ade25083dbd340d06c8cce2ba102699570a5e813c8d6201e7377d34d6dee1883 3543 activemq_5.6.0+dfsg1-4+deb8u3.dsc
157f8da007d7abf96068db9fd0c346c522d178c64124dbef5b335d67f6bd5286 22832 activemq_5.6.0+dfsg1-4+deb8u3.debian.tar.xz
f4f75936a477a0c008f3426b8941320973f80c655cde9d57f74529c4f8a4f9dc 3588612 libactivemq-java_5.6.0+dfsg1-4+deb8u3_all.deb
a7ebc3d28e58d47abfb5961f16116f5dc028c124c2ed4f1225ba52e84ded2eb2 3500384 libactivemq-java-doc_5.6.0+dfsg1-4+deb8u3_all.deb
fae6a78ab06fa5c5e9870360f5e625588a9dbe6339e4125abee85d969400b0f3 49530 activemq_5.6.0+dfsg1-4+deb8u3_all.deb
Files:
33eeff00b4dd095b3eed954eb59753ea 3543 java optional activemq_5.6.0+dfsg1-4+deb8u3.dsc
adb79aaa6b842c434c7366825da34bd9 22832 java optional activemq_5.6.0+dfsg1-4+deb8u3.debian.tar.xz
7347aa1c985332bbc31e1df8844a7161 3588612 java optional libactivemq-java_5.6.0+dfsg1-4+deb8u3_all.deb
2fd27305135c9d2496395ca6f901affe 3500384 doc optional libactivemq-java-doc_5.6.0+dfsg1-4+deb8u3_all.deb
969707bbcd38ce1b6758c97a3f23bab4 49530 java optional activemq_5.6.0+dfsg1-4+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlkDARtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkW6gP/juDnXeJEjIHvr6gH2NJOVzc6WvDb4xHyOXD
16xudsdCZZPXtSZObxJuF/HRmp1+Lv0DmfLpYYoEsabRTp6bF8HZWvPKDEMR4/0y
mAFn2CQYH80bY22OfUWrS94fACFsfqR4NKkFI/atArZE+2bwrfF+WSf2hUZeQE4b
LuTzPiZH+rNt2yPnpIgvxGgKOEfWxViqWprw5JgGfHZDLyTVK67E2MoEkxeldLqX
YTslSC6G44GrggL3jgVG2AjQef/+Vfml2QeFkk24GnfxbkveUFksHmN1eVCay5FP
c5nASi/++4/rN/Ev9zg47+I0RgZ695YZHyYuYdU8G/Lk+fGXhyRlOSA4TrPGpets
0cUGl0wzjcEajLDALpMV0lr1QXdw2gGlyyoX/jWCCNClZ4KDlc0cndq92qJwzdcO
AHyTC0FLSR1bKcMO0qK9uZ7gKMtr4WRWhXUP+tu7bvcqZWKggjBS+zuq8MUDDade
rCSorh/gR82VCfzKdV4D2qfdI1lrynmINUlh4NwhFoHzj7FNphZMn0pe63xgIdAz
pZsnkyHQZvuT5ciln4IevAX42ukytYkLK4IuyQxho+KN7wXJ/xKrvyxNwJwzFUIn
1FZsefdKbAYklnJwUl6JQ05tyWvtLbQegXv5uGCYNI5LwmGtkyD4R5GK3N9KIPBi
t/24fjEz
=toD2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 27 May 2017 07:30:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:33:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon