Your message dated Sun, 27 Oct 2024 14:32:07 +0000
with message-id <e1t54jl-00gwt8...@fasolo.debian.org>
and subject line Bug#1054909: fixed in activemq 5.17.2+dfsg-2+deb12u1
has caused the Debian Bug report #1054909,
regarding activemq: CVE-2023-46604
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1054909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: grave
X-Debbugs-CC: t...@security.debian.org
Severity: activemq
Tags: security
Hi,
The following vulnerability was published for grave.
CVE-2023-46604[0]:
| Apache ActiveMQ is vulnerable to Remote Code Execution.The
| vulnerability may allow a remote attacker with network access to a
| broker to run arbitrary shell commands by manipulating serialized
| class types in the OpenWire protocol to cause the broker to
| instantiate any class on the classpath. Users are recommended to
| upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes
| this issue.
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
http://www.openwall.com/lists/oss-security/2023/10/27/5
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46604
https://www.cve.org/CVERecord?id=CVE-2023-46604
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: activemq
Source-Version: 5.17.2+dfsg-2+deb12u1
Done: Santiago Ruano Rincón <santiag...@riseup.net>
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiag...@riseup.net> (supplier of updated activemq
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Oct 2024 23:20:32 -0300
Source: activemq
Architecture: source
Version: 5.17.2+dfsg-2+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Santiago Ruano Rincón <santiag...@riseup.net>
Closes: 1054909
Changes:
activemq (5.17.2+dfsg-2+deb12u1) bookworm-security; urgency=medium
.
* CVE-2022-41678: Potential arbitrary code execution via Jolokia
* CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to
Remote Code Execution (Closes: #1054909).
Checksums-Sha1:
be81396d1dfb2f4959cc373b288bbfb1fefa4a4f 2979
activemq_5.17.2+dfsg-2+deb12u1.dsc
6903e88d0373e16402846013e3259c255a2bed9b 2611112
activemq_5.17.2+dfsg.orig.tar.xz
4dde2ce039677362f7dd827c0e6363d55ce2a0c8 20736
activemq_5.17.2+dfsg-2+deb12u1.debian.tar.xz
63a5a975ae0096820730696a38ebbd1946ba5e7b 18095
activemq_5.17.2+dfsg-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
08fbd2b425c2eca8b67f3c9866e2dbb5e7a3844fad7f5644c7c7a58b36a15396 2979
activemq_5.17.2+dfsg-2+deb12u1.dsc
d34f5c8ffcd11cc2c4a706b482df373bd6fe9f73f912c6166d2865154f2e6be5 2611112
activemq_5.17.2+dfsg.orig.tar.xz
6a601c02d64450007ad499c14e351788211e19f641814ff58d38cf910099d1fc 20736
activemq_5.17.2+dfsg-2+deb12u1.debian.tar.xz
4489236698b91b9cecb4318b1bfff9e678c66170cb3d3b9032c000add520e6eb 18095
activemq_5.17.2+dfsg-2+deb12u1_amd64.buildinfo
Files:
e7a7921a145a1f00d77beb63780a580b 2979 java optional
activemq_5.17.2+dfsg-2+deb12u1.dsc
33c21f4e2796455c0c9b0c387c2bf335 2611112 java optional
activemq_5.17.2+dfsg.orig.tar.xz
e3b491e57ad4ee149771f757f8d678d7 20736 java optional
activemq_5.17.2+dfsg-2+deb12u1.debian.tar.xz
3354a776cafd9ed9bc3343cecf571879 18095 java optional
activemq_5.17.2+dfsg-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIwEARYIADQWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZxuj6BYcc2FudGlhZ29y
ckByaXNldXAubmV0AAoJECfePUUQSIbvEQ0BAJy7b00BiMO8S+bcL2x4RYISC6pO
9rQUTpPkh2jKK6dHAQCmR9rpBhTehvnYYSiNso1X7Xfub7ZASI+60xm8KcklCA==
=P9++
-----END PGP SIGNATURE-----
pgpiXPprmtMiK.pgp
Description: PGP signature
--- End Message ---
