Your message dated Mon, 02 Jun 2025 16:04:57 +0000
with message-id <[email protected]>
and subject line Bug#1104933: fixed in activemq 5.17.6+dfsg-2
has caused the Debian Bug report #1104933,
regarding activemq: CVE-2025-27533
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104933: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104933
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: activemq
Version: 5.17.6+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/AMQ-6596
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for activemq.
CVE-2025-27533[0]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ. During unmarshalling of OpenWire commands the size value
| of buffers was not properly validated which could lead to excessive
| memory allocation and be exploited to cause a denial of service
| (DoS) by depleting process memory, thereby affecting applications
| and services that rely on the availability of the ActiveMQ broker
| when not using mutual TLS connections. This issue affects Apache
| ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from
| 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not
| affected. Users are recommended to upgrade to version 6.1.6+,
| 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.
| Existing users may implement mutual TLS to mitigate the risk on
| affected brokers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27533
https://www.cve.org/CVERecord?id=CVE-2025-27533
[1] https://issues.apache.org/jira/browse/AMQ-6596
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: activemq
Source-Version: 5.17.6+dfsg-2
Done: Emmanuel Arias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Arias <[email protected]> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 May 2025 16:29:53 -0300
Source: activemq
Architecture: source
Version: 5.17.6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Arias <[email protected]>
Closes: 1104933
Changes:
activemq (5.17.6+dfsg-2) unstable; urgency=medium
.
[ Pierre Gruet ]
* Removing the patch about missing Maven artifact as libxstream-java now
properly declares the classpath of its jar
.
[Emmanuel Arias]
* CVE-2025-27533: Avoid memory allocation with excessive size value during
unmarshalling of OpenWire commands. The size value of buffers was not
properly validated which could lead to excessive memory allocation
and be exploited to cause a denial of service (Closes: #1104933).
- d/control: Add libjavassist-java as build dependency. It is needed for
the patch.
* d/control: Add myself as uploaders.
Checksums-Sha1:
b094c4c9a8370796f55f64508e8fc87a590a86a5 3605 activemq_5.17.6+dfsg-2.dsc
2dd2c7746e3be1e0d648c7276d436feca7e2235d 27968
activemq_5.17.6+dfsg-2.debian.tar.xz
18c0a3f945796edce2fcdc35b5311975f1ffc089 18889
activemq_5.17.6+dfsg-2_amd64.buildinfo
Checksums-Sha256:
169caefb8ae24ad6c4e63a539a745901eb59dd2d01dc58955d72116bb59cb5f8 3605
activemq_5.17.6+dfsg-2.dsc
b7743fece6e99c697bb64754ea98f6fe8704817f7d58ce9bbaba22df47c365ea 27968
activemq_5.17.6+dfsg-2.debian.tar.xz
a2eae3f55bbe5da6508f01288f7cf324b9aaee4805d3ac0ef827534c56d53e40 18889
activemq_5.17.6+dfsg-2_amd64.buildinfo
Files:
9e8331b5f6fae3dfe52c05461259459a 3605 java optional activemq_5.17.6+dfsg-2.dsc
b38bb184cc4adc0e0508d003f1e77800 27968 java optional
activemq_5.17.6+dfsg-2.debian.tar.xz
41e666d9faf7388d2d46647fb29fd347 18889 java optional
activemq_5.17.6+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmg9xZQSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxMA0P/ikANbISCbTBwftdl4yjPfD1LUrdzXy6
1kAb+7EB6geJwLzh/yKl4zMTIJ3iU0QgpdcOqOcM/FlZB6qVGSwyuC02k1pHZb9m
DX5xO43VWe4BM7vJ6Vy7cexSjgO+un6B3OJ3CMViCBtYv4WiA/dUF5xNe0B0G/h3
KwSGlRAGpMMFuSTi/o1iiQaxOWIUOyrfCNsloKF1Q18KpQIZIQUy6pO2O1ctt6VT
l+gkIM7OPjQHEZcbN9ZiLOcLgZRmGUgJe4M/W2FIStkoG/yjQTy29b0J+YJddxAr
2VEBCGDOqkBhFFFOE/UzxBtPBNmOLJfnsdtcHaqus3aXQn5Pf5WJS7/DBEQtcsU+
R240KWxnL4DHB2xKxzGFgC+UvTtkDDr3IEMVyyVbSpB+tpElpsx60CRwATvLlyEK
v3LKG12nak54H2hptcdbDAbdlF2fv2uI/mlTwGoKN6FMcDmGFq2PiItofN5g1BBd
0N5JSNcShyN08zq0dirCnWS4cnL4G9Fg041PqpgwDtEnryPOoOhECpl97PalWCRb
rgHVkkQIxBW+ibzqHxCw8/2Hl8vD1KY43Zgn4Acv+djeoNUs0LDFfE/ZiebJRgkr
FE8hMw0tGqt+D9Lq69EIpN+VURl0Y/qZ6lIDffehikVH3OaxTg6/bpmrp/wcmc6W
sezx3qRsV1v5
=iJ1T
-----END PGP SIGNATURE-----
pgpSeQ17DdgLj.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
