Your message dated Thu, 17 Jun 2021 14:44:18 +0900
with message-id <[email protected]>
and subject line It's for wheezy release, should be closed
has caused the Debian Bug report #770780,
regarding Apache ActiveMQ Packaged with Old XStream Library
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
770780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770780
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: activemq
Version: 5.6.0+dfsg-1
Apache ActiveMQ as packaged for Debian seems to ship with an old XStream
(1.4.2) library[1][2] which allows for instantiating arbitrary classes. This
could be leveraged for system command execution as demonstrated against
versions before 1.4.7.
# dpkg -S /usr/share/activemq/lib/optional/xstream.jar
activemq: /usr/share/activemq/lib/optional/xstream.jar
#
# dpkg -s activemq
Package: activemq
Status: install ok installed
Priority: optional
Section: java
Installed-Size: 217
Maintainer: Debian Java Maintainers
<[email protected]>
Architecture: all
Version: 5.6.0+dfsg-1
Depends: adduser (>= 3.11), libactivemq-java (= 5.6.0+dfsg-1),
openjdk-6-jre-headless | java6-runtime-headless
Conffiles:
/etc/default/activemq 3353e02e20e45a2224c1559f7e52e0a7
/etc/activemq/instances-available/main/log4j.properties
7a52b5daa7fba629b28bc9c05ccc3dc0
/etc/activemq/instances-available/main/activemq.xml
0d815a59ffa96e5978540ceee4623b56
/etc/init.d/activemq 8eb32df2af38fce26258548ae04c538b
Description: Java message broker - server
Apache ActiveMQ is a message broker built around Java Message Service (JMS)
API : allow sending messages between two or more clients in a loosely coupled,
reliable, and asynchronous way.
.
This message broker supports :
* JMS 1.1 and J2EE 1.4 with support for transient, persistent, transactional
and XA messaging
* Spring Framework, CXF and Axis integration
* pluggable transport protocols such as in-VM, TCP, SSL, NIO, UDP, multicast,
JGroups and JXTA
* persistence using JDBC along with journaling
* OpenWire (cross language wire protocol) and
Stomp (Streaming Text Orientated Messaging Protocol) protocols
.
This package contains a server installation of ActiveMQ.
Homepage: http://activemq.apache.org
#
# unzip -p /usr/share/activemq/lib/optional/xstream.jar
META-INF/maven/com.thoughtworks.xstream/xstream/pom.properties
#POM properties
#Mon May 28 22:20:08 UTC 2012
version=1.4.2
groupId=com.thoughtworks.xstream
debianVersion=debian
type=jar
classifier=
artifactId=xstream
#
[1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
[2] http://xstream.codehaus.org/security.html
--- End Message ---
--- Begin Message ---
X-CrossAssassin-Score: 27477
--- End Message ---
