Source: activemq Version: 5.17.6+dfsg-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/AMQ-6596 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for activemq. CVE-2025-27533[0]: | Memory Allocation with Excessive Size Value vulnerability in Apache | ActiveMQ. During unmarshalling of OpenWire commands the size value | of buffers was not properly validated which could lead to excessive | memory allocation and be exploited to cause a denial of service | (DoS) by depleting process memory, thereby affecting applications | and services that rely on the availability of the ActiveMQ broker | when not using mutual TLS connections. This issue affects Apache | ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from | 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not | affected. Users are recommended to upgrade to version 6.1.6+, | 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. | Existing users may implement mutual TLS to mitigate the risk on | affected brokers. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-27533 https://www.cve.org/CVERecord?id=CVE-2025-27533 [1] https://issues.apache.org/jira/browse/AMQ-6596 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
