Hello Tony, You are right, XStream 1.4.2 is only packaged for stable, testing and unstable ship 1.4.7. Backporting the security fix or upgrading the stable version is still something to consider though.
Thanks, G. ________________________________________ From: tony mancill <tmanc...@debian.org> Sent: Monday, November 24, 2014 5:36 AM To: Georgi Geshev; 770...@bugs.debian.org Subject: Re: Bug#770780: Apache ActiveMQ Packaged with Old XStream Library On 11/23/2014 04:54 PM, Georgi Geshev wrote: > Package: activemq > Version: 5.6.0+dfsg-1 > > Apache ActiveMQ as packaged for Debian seems to ship with an old XStream > (1.4.2) library[1][2] which allows for instantiating arbitrary classes. > This could be leveraged for system command execution as demonstrated > against versions before 1.4.7. Hello Georgi, Thank you for the bug report. Could you confirm that this bug report is for Debian stable (wheezy)? Debian testing has had xstream 1.4.7 since March of 2014. Therefore, I believe this is a security bug against the version of libxstream-java found in wheezy. Note that activemq ships a symlink to /usr/share/java/xstream.jar and not the JAR itself, which is installed by the libxstream-java package. If you need an immediate fix, you should be able to install a newer xstream [0] .deb (or symlink to another newer copy of xstream on your system). Thank you, tony [0] https://packages.qa.debian.org/libx/libxstream-java.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
