[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861200: marked as done (jessie-pu: package activemq/5.6.0+dfsg1-4+deb8u2)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #861200,
regarding jessie-pu: package activemq/5.6.0+dfsg1-4+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861200
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to fix CVE-2015-7599 for Jessie. The security team marked
this issue as no-dsa. Please find attached the debdiff.

Regards,

Markus

diff -Nru activemq-5.6.0+dfsg1/debian/changelog activemq-5.6.0+dfsg1/debian/changelog
--- activemq-5.6.0+dfsg1/debian/changelog	2016-03-18 22:24:26.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/changelog	2017-04-25 21:01:20.000000000 +0200
@@ -1,3 +1,11 @@
+activemq (5.6.0+dfsg1-4+deb8u3) jessie; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2015-7599:
+    DoS in activemq-core via shutdown command. (Closes: #860866)
+
+ -- Markus Koschany <apo@debian.org>  Tue, 25 Apr 2017 21:01:20 +0200
+
 activemq (5.6.0+dfsg1-4+deb8u2) jessie-security; urgency=high
 
   * Team upload.
diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch
--- activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch	1970-01-01 01:00:00.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/CVE-2015-7559.patch	2017-04-25 21:01:20.000000000 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 25 Apr 2017 20:59:50 +0200
+Subject: CVE-2015-7559
+
+Bug-Debian: https://bugs.debian.org/860866
+Bug-Upstream: https://issues.apache.org/jira/browse/AMQ-6470
+Origin: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e
+---
+ .../java/org/apache/activemq/ActiveMQConnection.java   | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+index 57ca8f1..d5797d6 100755
+--- a/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
++++ b/activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java
+@@ -1860,7 +1860,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon
+ 
+                     @Override
+                     public Response processControlCommand(ControlCommand command) throws Exception {
+-                        onControlCommand(command);
+                         return null;
+                     }
+ 
+@@ -2296,23 +2295,6 @@ public class ActiveMQConnection implements Connection, TopicConnection, QueueCon
+         inputStreams.remove(stream);
+     }
+ 
+-    protected void onControlCommand(ControlCommand command) {
+-        String text = command.getCommand();
+-        if (text != null) {
+-            if ("shutdown".equals(text)) {
+-                LOG.info("JVM told to shutdown");
+-                System.exit(0);
+-            }
+-            if (false && "close".equals(text)){
+-                LOG.error("Broker " + getBrokerInfo() + "shutdown connection");
+-                try {
+-                    close();
+-                } catch (JMSException e) {
+-                }
+-            }
+-        }
+-    }
+-
+     protected void onConnectionControl(ConnectionControl command) {
+         if (command.isFaultTolerant()) {
+             this.optimizeAcknowledge = false;
diff -Nru activemq-5.6.0+dfsg1/debian/patches/series activemq-5.6.0+dfsg1/debian/patches/series
--- activemq-5.6.0+dfsg1/debian/patches/series	2016-03-18 22:24:26.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/series	2017-04-25 21:01:20.000000000 +0200
@@ -11,3 +11,4 @@
 CVE-2014-3612.patch
 CVE-2014-3576.patch
 CVE-2015-5254.patch
+CVE-2015-7559.patch

--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: