Source: activemq Version: 5.16.0-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/AMQ-8035 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for activemq. CVE-2021-26117[0]: | The optional ActiveMQ LDAP login module can be configured to use | anonymous access to the LDAP server. In this case, for Apache ActiveMQ | Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions | 5.16.1 and 5.15.14, the anonymous context is used to verify a valid | users password in error, resulting in no check on the password. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26117 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26117 [1] https://issues.apache.org/jira/browse/AMQ-8035 [2] https://www.openwall.com/lists/oss-security/2021/01/27/6 [3] https://gitbox.apache.org/repos/asf?p=activemq.git;h=c9f68f4c64b2687eee283b95538753665d2b229b Please adjust the affected versions in the BTS as needed. Regards, Salvatore
