CVE-2014-3576

Debian Bug report logs - #792857
CVE-2014-3576

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-3576

Date: Sun, 19 Jul 2015 14:44:22 +0200

Source: activemq
Severity: grave
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3576 is scarce on
details, but per the fixed upstream release probably affects oldstable
and stable.

Cheers,
        Moritz

Message #10 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 792857@bugs.debian.org

Subject: Re: Bug#792857: CVE-2014-3576

Date: Sun, 19 Jul 2015 17:35:54 +0200

Le 19/07/2015 14:44, Moritz Muehlenhoff a écrit :

> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3576 is scarce on
> details, but per the fixed upstream release probably affects oldstable
> and stable.

I suspect this was fixed with this commit [1]. This modification was
released with the version 5.11, but it wasn't included in the version
5.10.1 [1] as reported in the RedHat bug.

Emmanuel Bourg

[1] https://github.com/apache/activemq/commit/00921f2
[2]
https://github.com/apache/activemq/blob/activemq-5.10.1/activemq-broker/src/main/java/org/apache/activemq/broker/TransportConnection.java#L1536

Message #15 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 792857@bugs.debian.org

Subject: Re: Bug#792857: CVE-2014-3576

Date: Wed, 22 Jul 2015 15:24:45 +0200

The fix has been confirmed by an upstream developer:

http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E

Message #22 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: team@security.debian.org, 792857@bugs.debian.org

Subject: Re: Bug#792857: CVE-2014-3576

Date: Wed, 29 Jul 2015 22:41:20 +0200

On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote:
> The fix has been confirmed by an upstream developer:
> 
> http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E

Could you prepare updated packages for oldstable-security and
stable-security?

Cheers,
        Moritz

Message #27 received at 792857-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 792857-close@bugs.debian.org

Subject: Bug#792857: fixed in activemq 5.6.0+dfsg1-4+deb8u1

Date: Mon, 10 Aug 2015 18:47:05 +0000

Source: activemq
Source-Version: 5.6.0+dfsg1-4+deb8u1

We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 792857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated activemq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 03 Aug 2015 19:17:04 +0200
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.6.0+dfsg1-4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 activemq   - Java message broker - server
 libactivemq-java - Java message broker core libraries
 libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 792857
Changes:
 activemq (5.6.0+dfsg1-4+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Fixed CVE-2014-3576: DoS via unauthenticated remote shutdown command
     (Closes: #792857)
Checksums-Sha1:
 f4a4038b1ce5fa63854b05571f9eee6105f7f2d8 3376 activemq_5.6.0+dfsg1-4+deb8u1.dsc
 35c7110357af332d9ccc92a46e14e344927449df 1724296 activemq_5.6.0+dfsg1.orig.tar.xz
 d7dfc604909a0503460565cd7e11716e95ddffab 19980 activemq_5.6.0+dfsg1-4+deb8u1.debian.tar.xz
 94a06c7f8f9ba4fdf1a874b18a6d3f2d244a20ce 3580006 libactivemq-java_5.6.0+dfsg1-4+deb8u1_all.deb
 e1ef8b77586e09678100d0bb85b791d6ede09260 3515692 libactivemq-java-doc_5.6.0+dfsg1-4+deb8u1_all.deb
 120b1b98f861382a775fc68dfdbc0876d2f0d28e 49342 activemq_5.6.0+dfsg1-4+deb8u1_all.deb
Checksums-Sha256:
 d373361bc06af51caaf78c98667d91413bf8d8d272eae4c361466c5a1d664020 3376 activemq_5.6.0+dfsg1-4+deb8u1.dsc
 a0f77bcabb133b7c467855e6d171147fb0909ae70572cac5a3ac2cc1eb8c32c5 1724296 activemq_5.6.0+dfsg1.orig.tar.xz
 95937f9268ad69170686ef85aba938092eb9781137d78b6eea46acfeb03072b0 19980 activemq_5.6.0+dfsg1-4+deb8u1.debian.tar.xz
 4f450ca2724115104c235b86775a86b4cbaaea06c4146413755166c8531ce7ee 3580006 libactivemq-java_5.6.0+dfsg1-4+deb8u1_all.deb
 ad60583d41fbc1397c13d47507c5757adb37371837e288566e7e1e4ff9ea8ceb 3515692 libactivemq-java-doc_5.6.0+dfsg1-4+deb8u1_all.deb
 847aa3aac97efaf9e554a9c42c67e70906d0ae09593c3822d5726038190ae363 49342 activemq_5.6.0+dfsg1-4+deb8u1_all.deb
Files:
 bb9b0214cfa492d1dec62d2dde0abc30 3376 java optional activemq_5.6.0+dfsg1-4+deb8u1.dsc
 e0322c974891a41dc8c73dacb3f032db 1724296 java optional activemq_5.6.0+dfsg1.orig.tar.xz
 e1e4a36949ccc8a3076c744eb3925a2a 19980 java optional activemq_5.6.0+dfsg1-4+deb8u1.debian.tar.xz
 5035bdc318c76746bb7ab5208e2a0174 3580006 java optional libactivemq-java_5.6.0+dfsg1-4+deb8u1_all.deb
 0f353f16feb33d187cb57a827488965a 3515692 doc optional libactivemq-java-doc_5.6.0+dfsg1-4+deb8u1_all.deb
 dfcbf2fccca42002d2a22e1643d16c84 49342 java optional activemq_5.6.0+dfsg1-4+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVwGFmAAoJEPUTxBnkudCsWvMP/iR1CW3LyWTa+k4RfoT532+9
4jj31O2YOky7mxSZhkvMT4j8FlJUjqqfDIqtSYVqZqOR18aslLc4lXwExyBpyYMg
2orAGlyJQzFhkeZZ9BEFiE5QrLIY6TqcqhftHgj2Lch9+rSHnul4SemLzXfPfw57
mM6d+vhiDHYLAhrcf4/JvORfQW0K4jdwl1vRWtxF+D9Lkk4IoBgVg8FI0opE7Xu9
JmGnr3aTlWn5XznN5tGVrrmGTkyCr7rBsDQQTb2qOM0TIdPWshKN96R04VN23PLg
5FQjxu/AdkecgeYfFoKT0GrgT4GXoqAxfaZc0L6DVfloo5rg6IrUdcS8L2aTW2pv
N7tHmw8AzInLvxLP8ha3e5A2zB0kdRNjnrsTS7rj6MLa1sWyk/ZrG4flLr/2QqII
l0PK2s1zrEH1Xzzykbe2+TcePkcLEOAMIpQHIhC70YNEQNdJkpWgtjqLGL0MIRiP
M6PFIgB9MkmaxjNuCwQNvb0g3VGp5z039JnuDf7YNSUFpf/bRd4L9Flf9kOTMCm6
BogWY/mu8b6N0Z9pW7UFJo434flmdWjCAcJ+rYy0zi1aeIT7j/+0xVwNA06no7/L
GkSqfW9t4i3yjDe+rGPVtekMCYTOr1+V7svDecK+0xPZM4kKpdJLxcAMUBR7MZcF
aKRroawC9krZSpyvlFu2
=egZD
-----END PGP SIGNATURE-----

Message #32 received at 792857-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 792857-close@bugs.debian.org

Subject: Bug#792857: fixed in activemq 5.6.0+dfsg-1+deb7u1

Date: Mon, 10 Aug 2015 18:51:38 +0000

Source: activemq
Source-Version: 5.6.0+dfsg-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 792857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated activemq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 07 Aug 2015 22:16:39 +0200
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.6.0+dfsg-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description: 
 activemq   - Java message broker - server
 libactivemq-java - Java message broker core libraries
 libactivemq-java-doc - Java message broker core libraries - documentation
Closes: 769887 777196 792857
Changes: 
 activemq (5.6.0+dfsg-1+deb7u1) wheezy-security; urgency=high
 .
   * Team upload.
   * Fixed security issues (Closes: #777196, #792857)
     - CVE-2014-3612: JAAS LDAPLoginModule allows empty password authentication
     - CVE-2014-3600: XML External Entity expansion when evaluating XPath
       expressions
     - CVE-2014-3576: DoS via unauthenticated remote shutdown command
     - Disable JMX by default (Closes: #769887)
Checksums-Sha1: 
 3774e5093cc7f227364dabd3d64f102dfed034d4 3353 activemq_5.6.0+dfsg-1+deb7u1.dsc
 9dbc1e3b7d01cc54002401c753c9c9502512c6ac 3187408 activemq_5.6.0+dfsg.orig.tar.gz
 d6dcaf964db30d725948ca104d33d4db963f42b8 22896 activemq_5.6.0+dfsg-1+deb7u1.debian.tar.gz
 4f446059f16da15383d6d90b0aebf6b040d957e5 3975514 libactivemq-java_5.6.0+dfsg-1+deb7u1_all.deb
 67de6a9bbd13624cac67e82a357be12f4da0bede 9039896 libactivemq-java-doc_5.6.0+dfsg-1+deb7u1_all.deb
 ef689bb604e73f4bc00f9b83b3937d07a25bc42b 52592 activemq_5.6.0+dfsg-1+deb7u1_all.deb
Checksums-Sha256: 
 6ae1960cc1d8b0c6e2f23aa7049b1e05eb86175f6dcd0847a156eb8c7b06df17 3353 activemq_5.6.0+dfsg-1+deb7u1.dsc
 f6589dae9e2cff7efe144c5bda99f18c1fc2f220b121a3ac9ef92174cb0899a3 3187408 activemq_5.6.0+dfsg.orig.tar.gz
 3882dae19f7fe96bec13a7e379696d495e702ddf21c00b219a44508b7d374a4e 22896 activemq_5.6.0+dfsg-1+deb7u1.debian.tar.gz
 678c7ca0c2fa4151f2b6f4899ec5307f94b3f1f1e2eeb77c2fb4f4caece53a85 3975514 libactivemq-java_5.6.0+dfsg-1+deb7u1_all.deb
 46336dc90a11caf4c54608dbbf67f29d16a41f8cdd7044362e417c32aa028019 9039896 libactivemq-java-doc_5.6.0+dfsg-1+deb7u1_all.deb
 c010d707744f0309336cf5b6218eac98a7d11dc931e5325786505d63448b39fd 52592 activemq_5.6.0+dfsg-1+deb7u1_all.deb
Files: 
 abc540a4988e1d50602e279b22608f4e 3353 java optional activemq_5.6.0+dfsg-1+deb7u1.dsc
 54227cd13c5f73e8ec7e62a0d13d3763 3187408 java optional activemq_5.6.0+dfsg.orig.tar.gz
 85cc41a99e7bffec1414627fa93f939c 22896 java optional activemq_5.6.0+dfsg-1+deb7u1.debian.tar.gz
 72fa0c44ce67f3ef4780aa1aceca612b 3975514 java optional libactivemq-java_5.6.0+dfsg-1+deb7u1_all.deb
 fe4cd7ccdc05ecc646cd0b3790f924ff 9039896 doc optional libactivemq-java-doc_5.6.0+dfsg-1+deb7u1_all.deb
 269bacd1e23a7f9e3a175bf94e21ca0c 52592 java optional activemq_5.6.0+dfsg-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVxRfuAAoJEPUTxBnkudCsVUgP/3WqDVd7jcfLmSOQaCFeghV0
sWpq3Lsa3vhl9zZZ0xAHAFsNpWjzR4dJl7j6PMt6sKlsVA4w+8WK97QYuout/pjQ
KG/meek0deC2EZ5tnlFGRIb9OSXpmoNTzLmFFIjGxBLRjO0iLtpx0iYOVMnOiISx
0fMRXdhNJpR4Bm1Ve8i0c8gVBa8yuUb3WMQ/wAetz83q9DcUr6jO9E5s6AVjsB9g
pNQeJZUial+kCkS/PrguuKMcpMQRk5mf29jZL5uPrQ4dncPBKPbQPVyOBzBoS36A
zlxAV+/fO2h+Wrz0ATtdjlbpivpBvyN6ngo8rrU+F95DoI4hBnu0uyCUfPlI3Eq2
VeDWrNOHvz6CK6gUoStP0W+1IVmaOoRWPmcijoiK/u0dxqvfGZqZhrxt8rPnnTvx
D2ufpDqNPyY8j3cyHIY6yhFX85npIGJS//xXdoq4xCMB8e+s7EWFDajJHrs9sS/A
almUxJJuz+v+iL3joyinmKbdM4aiPbDbtfwpi68J1uDiGoELx+eQ+C4qHiraberE
YgSSpfz5eCKS9vdNxxPOnFFreypD8EItpEwcvVdJfHzx/cG7I0rd7P+HJ/fH/XPt
euhNDg9Be97ecoi3ixseL5c9Ld4jbLdPt1NwvKfA41dgJcIUNTXpFw/63Z0Eq1Zs
G0lyo4gddSLfqbhn7R2k
=80/D
-----END PGP SIGNATURE-----

Message #39 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emmanuel Bourg <ebourg@apache.org>, 792857@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#792857: CVE-2014-3576

Date: Fri, 14 Aug 2015 11:42:02 +0200

Hi Emmanual,

On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote:
> The fix has been confirmed by an upstream developer:
> 
> http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E

Any news on an update for sid->stretch as well?

Regards,
Salvatore

Message #44 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 792857@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#792857: CVE-2014-3576

Date: Fri, 14 Aug 2015 11:50:18 +0200

Le 14/08/2015 11:42, Salvatore Bonaccorso a écrit :

> Any news on an update for sid->stretch as well?

I can't do it before the end of the month. I'll combine the fix with an
update to the version 2.7.

Message #49 received at 792857@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: 792857@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#792857: CVE-2014-3576

Date: Fri, 14 Aug 2015 11:57:40 +0200

Hi Emmanuel,

On Fri, Aug 14, 2015 at 11:50:18AM +0200, Emmanuel Bourg wrote:
> Le 14/08/2015 11:42, Salvatore Bonaccorso a écrit :
> 
> > Any news on an update for sid->stretch as well?
> 
> I can't do it before the end of the month. I'll combine the fix with an
> update to the version 2.7.

I see. I was just asking since the package is scheduled for
autoremoval on 9th of september.

Thanks for your status-update!

Regards,
Salvatore

Send a report that this bug log contains spam.