Markus Koschany pushed to branch buster at Debian Java Maintainers / activemq
Commits: 5d9cde5a by Arturo Borrero Gonzalez at 2024-11-24T18:23:09+01:00 d/: add gitlab-ci.yaml file To enable CI on gitlab. Signed-off-by: Arturo Borrero Gonzalez <[email protected]> - - - - - 5ecbd7de by Arturo Borrero Gonzalez at 2024-11-24T18:24:17+01:00 CI: rename config file to d/salsa-ci.yml Which is the default in salsa.d.o. Signed-off-by: Arturo Borrero Gonzalez <[email protected]> - - - - - 9f5a10b6 by Arturo Borrero Gonzalez at 2024-11-24T18:39:31+01:00 activemq: add patch for CVE-2022-41678 New patch to fix CVE-2022-41678. Signed-off-by: Arturo Borrero Gonzalez <[email protected]> - - - - - 64cf2778 by Arturo Borrero Gonzalez at 2024-11-25T23:05:25+01:00 d/changelog: generate entry for 5.15.16-0+deb10u2 buster-security New changelog entry. Git-Dch: Ignore Signed-off-by: Arturo Borrero Gonzalez <[email protected]> - - - - - 4 changed files: - debian/changelog - + debian/patches/CVE-2022-41678.patch - debian/patches/series - + debian/salsa-ci.yml Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,11 @@ +activemq (5.15.16-0+deb10u2) buster-security; urgency=medium + + * Non-maintainer upload by the ELTS Security Team. + * activemq: enable salsa-ci + * activemq: add patch to fix CVE-2022-41678 + + -- Arturo Borrero Gonzalez <[email protected]> Mon, 25 Nov 2024 23:03:59 +0100 + activemq (5.15.16-0+deb10u1) buster-security; urgency=high * Team upload. ===================================== debian/patches/CVE-2022-41678.patch ===================================== @@ -0,0 +1,65 @@ +Origin: https://github.com/apache/activemq/commit/5c8d457d9fcef194ea89f969b822850837143c5f + +From 5c8d457d9fcef194ea89f969b822850837143c5f Mon Sep 17 00:00:00 2001 +From: "Christopher L. Shannon (cshannon)" <[email protected]> +Date: Wed, 1 Feb 2023 07:04:56 -0500 +Subject: [PATCH] AMQ-9201 - Update Jolokia default access configuration + +(cherry picked from commit 6120169e563b55323352431dfe9ac67a8b4de6c2) +--- + .../api/WEB-INF/classes/jolokia-access.xml | 34 ++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml b/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml +index 8cad1cd40e4..97b099a5b7f 100644 +--- a/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml ++++ b/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml +@@ -22,8 +22,35 @@ + <strict-checking/> + </cors> + +- <!-- deny calling operations or getting attributes from these mbeans --> ++ <!-- By default don't allow write or exec operations --> ++ <commands> ++ <command>read</command> ++ <command>list</command> ++ <command>version</command> ++ <command>search</command> ++ </commands> ++ ++ <allow> ++ <!-- Allow all operations for the broker itself --> ++ <mbean> ++ <name>org.apache.activemq:*</name> ++ <attribute>*</attribute> ++ <operation>*</operation> ++ </mbean> ++ <!-- Allow all operations for Jolokia Config --> ++ <mbean> ++ <name>jolokia:type=Config</name> ++ <operation>*</operation> ++ </mbean> ++ </allow> ++ ++ <!-- deny all operations or getting attributes from these mbeans --> + <deny> ++ <mbean> ++ <name>org.apache.logging.log4j2:*</name> ++ <attribute>*</attribute> ++ <operation>*</operation> ++ </mbean> + <mbean> + <name>com.sun.management:type=DiagnosticCommand</name> + <attribute>*</attribute> +@@ -34,6 +61,11 @@ + <attribute>*</attribute> + <operation>*</operation> + </mbean> ++ <mbean> ++ <name>jdk.management.jfr:type=FlightRecorder</name> ++ <attribute>*</attribute> ++ <operation>*</operation> ++ </mbean> + </deny> + + </restrict> ===================================== debian/patches/series ===================================== @@ -5,3 +5,4 @@ disable-broker-test-dependency.patch enable-activemq-jdbc-store-module.patch maven-xbean-plugin.patch java11.patch +CVE-2022-41678.patch ===================================== debian/salsa-ci.yml ===================================== @@ -0,0 +1,3 @@ +--- +include: + - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/buster.yml View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/6ab409cda9022ce5ac7d80da820fb2df2216b5c2...64cf277854c98e9224890c2f51c6426fa00d4771 -- View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/6ab409cda9022ce5ac7d80da820fb2df2216b5c2...64cf277854c98e9224890c2f51c6426fa00d4771 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
