Your message dated Tue, 02 Mar 2021 16:33:27 +0000
with message-id <[email protected]>
and subject line Bug#982590: fixed in activemq 5.16.1-1
has caused the Debian Bug report #982590,
regarding activemq: CVE-2021-26117
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982590: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982590
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: activemq
Version: 5.16.0-1
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/AMQ-8035
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for activemq.
CVE-2021-26117[0]:
| The optional ActiveMQ LDAP login module can be configured to use
| anonymous access to the LDAP server. In this case, for Apache ActiveMQ
| Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions
| 5.16.1 and 5.15.14, the anonymous context is used to verify a valid
| users password in error, resulting in no check on the password.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-26117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26117
[1] https://issues.apache.org/jira/browse/AMQ-8035
[2] https://www.openwall.com/lists/oss-security/2021/01/27/6
[3]
https://gitbox.apache.org/repos/asf?p=activemq.git;h=c9f68f4c64b2687eee283b95538753665d2b229b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: activemq
Source-Version: 5.16.1-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
activemq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated activemq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Mar 2021 17:08:31 +0100
Source: activemq
Architecture: source
Version: 5.16.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 982590
Changes:
activemq (5.16.1-1) unstable; urgency=high
.
* Team upload.
* New upstream version 5.16.1.
- Fix CVE-2021-26117: no check on LDAP user password (Closes: #982590)
Thanks to Salvatore Bonaccorso for the report.
* Declare compliance with Debian Policy 4.5.1.
Checksums-Sha1:
fdcceb864663638bc942b2d191662fe61bdfb558 3592 activemq_5.16.1-1.dsc
0c721998a736d026fbb0fbb1541682c1a91033d6 2789828 activemq_5.16.1.orig.tar.xz
263352cd6a81220d1f8b5eb2bf5809e1c81db19b 16660 activemq_5.16.1-1.debian.tar.xz
8556a10108f0559469672489320b5368f3fae850 16066
activemq_5.16.1-1_amd64.buildinfo
Checksums-Sha256:
9bd92c3d1c90f0b3bf1430d2d05c6f0b561552ad32ec8e9d9ab8a735f10a864c 3592
activemq_5.16.1-1.dsc
9d4adaf8cc0b96389ca3beae5e49479d44a0e9cd5e021b261f07578277ccefce 2789828
activemq_5.16.1.orig.tar.xz
b829ffbc6f61e7a5f065f91be02713dc791efc2efffa94a050ed3c486f0d0191 16660
activemq_5.16.1-1.debian.tar.xz
18ea434c4476d4a32097dd516d6a7f6744e1d57e27b7ac52e8c4c9ed3e83a34c 16066
activemq_5.16.1-1_amd64.buildinfo
Files:
124d658b063da2b9d6a52b5f800a2fd1 3592 java optional activemq_5.16.1-1.dsc
52d84aeae891e3f540b87cd3776b0aab 2789828 java optional
activemq_5.16.1.orig.tar.xz
6ab3af5f60ffc920cec4cc316c8b90bf 16660 java optional
activemq_5.16.1-1.debian.tar.xz
9f8519257b3e47aa86c4a713b9a49b30 16066 java optional
activemq_5.16.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmA+ZfBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkAH0QAI4QivyGHtkqFk4opouWryVY1D1zow083d4p
sN1NQoZEMNubys+Jcai7qpR6rfSllJBtBZHuMZ+eBdpT3dquw/8OuuRfgRN1tgjY
hGK5v9P2FbuqiF0EwEqjuwNSWz+Nar8aRZBB9pf7W71deLkwOI0xPPNuLIb+gbjf
zt1HJsJjrBjyA7LV9tAtkKQgGBLV7sAwdHMFGj4VaUkUY8eLL0ircxoEegBibsDu
LyLgfdKJBnGManBAaGkwezaJNwRTL1DkQEJDx83NHAGkAqS1QWp9PU6ETlHvzV6s
ww+9UKEskp7a93NGK+WgLljmPrK/m86RSbQAAfLVyHecyyhfJtO+iRrkJByXPLQc
eST6VOjHco8KXM2vVUqvpEuw6mKn5Jdpy6aAbLlWiHsFqG5xKxqvp+4OnNUSEteQ
2pmLurbaBxPWIxb99WzVTxANhjkbPwpa40JhRV4fjaVK3ZxzmRe4JHB0iJqFStvn
kTV/d+2OsUFAa+Bz+A0eLtqHvNSGyXk9a35enmf/jJxQZVCeqILHX4O+ismjCT5M
5A3ZuDvpeOeT+0FNngysgYe0OJa/BpYxaUwR1tzlEcOcSqKmCGIg1QZl3KMOHFD0
cuI3oAh6RiwBBwbIksPcynFRUkV2CJpR4M1Om5+7A7NtNWuNybgS+F5sb5q4z502
s/5Cvt8y
=tEg9
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
