Accepted activemq 5.15.16-0+deb10u1 (source) into oldoldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted activemq 5.15.16-0+deb10u1 (source) into oldoldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 20 Nov 2023 20:10:21 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: activemq_5.15.16-0+deb10u1_source.changes
- Debian-source: activemq
- Debian-suite: oldoldstable
- Debian-version: 5.15.16-0+deb10u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=W74ifpbGRJnqH60VBvk+i3zBHWJytroxZa4lY1XwMP8=; b=K2Ogkqp+UckEOlBKPq2jX5n+5L I6JXS9NS8mHdgbLzz+lHoBfPBdc7gasTDMfH12kpJcdGJQdUQV7+oDzxfaIJA9GfaVi8gQTQrUwfm vrBoOQmD83L43sD9uCdkLXksj0Lw9urT3VZdIAlQ/MXFdYQgHDEbC6CibC0fYwIWfMdaXT4R/Szv7 2sboNvAr9fVhk/MaNSfjVp7rMC7qYrEzCazww0kAifTUlwtdbXPmr3s3vU/jrEsqiHxLviTN+G0cv /WKds7WV6zTzlCVxpTVbORMf2F6460DfIGlk2egOBe0xPJEjzrVwvVr6eSCE133Yk0bRR2X5+7Bd0 GtvBj6nQ==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1r5Ab7-009suO-8v@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Nov 2023 19:58:59 CET
Source: activemq
Architecture: source
Version: 5.15.16-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
dca6377678c1fce1e92b608a2f06ff1956c74ef6 3648 activemq_5.15.16-0+deb10u1.dsc
9bd1f423c7e208454bf5fd0ed67f00b1080ea1c8 5917548 activemq_5.15.16.orig.tar.gz
59de8d1f091b427f8072316aaffc9a367b6ddb03 17128 activemq_5.15.16-0+deb10u1.debian.tar.xz
0233546468cd53d47f184308513533b2ff43535f 16415 activemq_5.15.16-0+deb10u1_amd64.buildinfo
Checksums-Sha256:
41360e0b12599f2d40405633ed7782baa25e853e561aa8df20ee3f034519c346 3648 activemq_5.15.16-0+deb10u1.dsc
b9ed733f56d4058e515f00944807976b731769acf40493603f17cbf714f6ea79 5917548 activemq_5.15.16.orig.tar.gz
b31c928e19a4fcd036acdf22b0f7feaca6699bd9d3820cf4eb723f86c45b4fbd 17128 activemq_5.15.16-0+deb10u1.debian.tar.xz
b06c463921d14f8133257b9c68d06785774024e428d980be383818f8f7241d95 16415 activemq_5.15.16-0+deb10u1_amd64.buildinfo
Changes:
activemq (5.15.16-0+deb10u1) buster-security; urgency=high
.
* Team upload.
* New upstream version 5.15.16.
* Fix CVE-2020-13920:
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI
registry and binds the server to the "jmxrmi" entry. It is possible to
connect to the registry without authentication and call the rebind method
to rebind jmxrmi to something else. If an attacker creates another server
to proxy the original, and bound that, he effectively becomes a man in the
middle and is able to intercept the credentials when an user connects.
* Fix CVE-2021-26117:
The optional ActiveMQ LDAP login module can be configured to use anonymous
access to the LDAP server. In this case the anonymous context is used to
verify a valid users password in error, resulting in no check on the
password.
* Fix CVE-2023-46604:
The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Files:
697ee6f810c92c3f0eb57de2c800d312 3648 java optional activemq_5.15.16-0+deb10u1.dsc
7e677d52e34707290eed3aaa5b397372 5917548 java optional activemq_5.15.16.orig.tar.gz
bd5b64751c2b4198a22eb7e7133fd89f 17128 java optional activemq_5.15.16-0+deb10u1.debian.tar.xz
a74ece61cf2555b8d803d65529080361 16415 java optional activemq_5.15.16-0+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVbuOFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkM5cQALtP3Y8myBvJATG4xoQGJrRLzuR2638uTRm3
gvt2679JHlUOF4jZHG4O+3u9gg2sAkmbIck8vIpm0Y8lGHvCWGgoT2RkgK7Npvor
vRT47UtlEKsuP37dhNuDrEK1YG73eY/EbvW2ECsTf0gtiuWxTnkp7YIjeEZAOg7y
3UQQ1Oi6j7YJIVEB7oVpwSaGlzHgDhquNUyHYuHDxIgdz+/khtYnmui5mdL8VIiA
sk1gVg3SMc1rjl9sZ/7JdTQOALqsHPLLvhTRXcBa4KGdEze4wQ3LfZHskrx0sz64
282h4+I+6pJ0PkruU44INkmU8TJrDBFl3eB5RN8Z8Lo0mmShIAwgvKDRkhGKnu7i
ykISHqB8NBpKNV7HvGaCYM4fMGmI6G8BodGHUQnJvjdh8ZIJItbUizNRWH7A9jME
dXsv0chZ1q/9SOtYiUWPkTMJXMN8SPDdN2s4PX1Nn2DgPq38w37l4YU5SiZRqcWy
8AGvOxX+z7xSsnTVwR8TgYwjZSFagcW7FX0KL/7duTyiFvb8idnqZA6K6aeoIOwa
IxJ2FTa/uBiqC80uac+B3hPUpkds5v3bwXfNIirladwFr0uqc4/oHDS/0/oQJ7EY
ZlkgZk4J7OIA8D2cYFcjw/V4jwOHlJl5Y2+fSsp6OofIx4Ix+94SjeteNG+/mVot
6NCve5q+
=LyT2
-----END PGP SIGNATURE-----