--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package activemq/5.6.0+dfsg1-4+deb8u2
- From: Markus Koschany <apo@debian.org>
- Date: Tue, 25 Apr 2017 21:27:42 +0200
- Message-id: <149314846231.20641.13193948586446242055.reportbug@conan>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to fix CVE-2015-7599 for Jessie. The security team marked
this issue as no-dsa. Please find attached the debdiff.
Regards,
Markus
diff -Nru activemq-5.6.0+dfsg1/debian/changelog activemq-5.6.0+dfsg1/debian/changelog
--- activemq-5.6.0+dfsg1/debian/changelog 2016-03-18 22:24:26.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/changelog 2017-04-25 21:01:20.000000000 +0200
@@ -1,3 +1,11 @@
+activemq (5.6.0+dfsg1-4+deb8u3) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2015-7599:
+ DoS in activemq-core via shutdown command. (Closes: #860866)
+
+ -- Markus Koschany <apo@debian.org> Tue, 25 Apr 2017 21:01:20 +0200
+
activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high
* Team upload.
diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch
--- activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 1970-01-01 01:00:00.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch 2017-04-25 21:01:20.000000000 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 25 Apr 2017 20:59:50 +0200
+Subject: CVE-2015-7559
+
+Bug-Debian: https://bugs.debian.org/860866
+Bug-Upstream: https://issues.apache.org/jira/browse/AMQ-6470
+Origin: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e
+---
+ .../java/org/apache/activemq/ActiveMQConnection.java | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+index 57ca8f1..d5797d6 100755
+--- a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
++++ b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+@@ -1860,7 +1860,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon
+
+ @Override
+ public Response processControlCommand(ControlCommand command) throws Exception {
+- onControlCommand(command);
+ return null;
+ }
+
+@@ -2296,23 +2295,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon
+ inputStreams.remove(stream);
+ }
+
+- protected void onControlCommand(ControlCommand command) {
+- String text = command.getCommand();
+- if (text != null) {
+- if ("shutdown".equals(text)) {
+- LOG.info("JVM told to shutdown");
+- System.exit(0);
+- }
+- if (false && "close".equals(text)){
+- LOG.error("Broker " + getBrokerInfo() + "shutdown connection");
+- try {
+- close();
+- } catch (JMSException e) {
+- }
+- }
+- }
+- }
+-
+ protected void onConnectionControl(ConnectionControl command) {
+ if (command.isFaultTolerant()) {
+ this.optimizeAcknowledge = false;
diff -Nru activemq-5.6.0+dfsg1/debian/patches/series activemq-5.6.0+dfsg1/debian/patches/series
--- activemq-5.6.0+dfsg1/debian/patches/series 2016-03-18 22:24:26.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/series 2017-04-25 21:01:20.000000000 +0200
@@ -11,3 +11,4 @@
CVE-2014-3612.patch
CVE-2014-3576.patch
CVE-2015-5254.patch
+CVE-2015-7559.patch
--- End Message ---