-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 20 Nov 2023 19:58:59 CET Source: activemq Architecture: source Version: 5.15.16-0+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: dca6377678c1fce1e92b608a2f06ff1956c74ef6 3648 activemq_5.15.16-0+deb10u1.dsc 9bd1f423c7e208454bf5fd0ed67f00b1080ea1c8 5917548 activemq_5.15.16.orig.tar.gz 59de8d1f091b427f8072316aaffc9a367b6ddb03 17128 activemq_5.15.16-0+deb10u1.debian.tar.xz 0233546468cd53d47f184308513533b2ff43535f 16415 activemq_5.15.16-0+deb10u1_amd64.buildinfo Checksums-Sha256: 41360e0b12599f2d40405633ed7782baa25e853e561aa8df20ee3f034519c346 3648 activemq_5.15.16-0+deb10u1.dsc b9ed733f56d4058e515f00944807976b731769acf40493603f17cbf714f6ea79 5917548 activemq_5.15.16.orig.tar.gz b31c928e19a4fcd036acdf22b0f7feaca6699bd9d3820cf4eb723f86c45b4fbd 17128 activemq_5.15.16-0+deb10u1.debian.tar.xz b06c463921d14f8133257b9c68d06785774024e428d980be383818f8f7241d95 16415 activemq_5.15.16-0+deb10u1_amd64.buildinfo Changes: activemq (5.15.16-0+deb10u1) buster-security; urgency=high . * Team upload. * New upstream version 5.15.16. * Fix CVE-2020-13920: Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. * Fix CVE-2021-26117: The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case the anonymous context is used to verify a valid users password in error, resulting in no check on the password. * Fix CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Files: 697ee6f810c92c3f0eb57de2c800d312 3648 java optional activemq_5.15.16-0+deb10u1.dsc 7e677d52e34707290eed3aaa5b397372 5917548 java optional activemq_5.15.16.orig.tar.gz bd5b64751c2b4198a22eb7e7133fd89f 17128 java optional activemq_5.15.16-0+deb10u1.debian.tar.xz a74ece61cf2555b8d803d65529080361 16415 java optional activemq_5.15.16-0+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVbuOFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkM5cQALtP3Y8myBvJATG4xoQGJrRLzuR2638uTRm3 gvt2679JHlUOF4jZHG4O+3u9gg2sAkmbIck8vIpm0Y8lGHvCWGgoT2RkgK7Npvor vRT47UtlEKsuP37dhNuDrEK1YG73eY/EbvW2ECsTf0gtiuWxTnkp7YIjeEZAOg7y 3UQQ1Oi6j7YJIVEB7oVpwSaGlzHgDhquNUyHYuHDxIgdz+/khtYnmui5mdL8VIiA sk1gVg3SMc1rjl9sZ/7JdTQOALqsHPLLvhTRXcBa4KGdEze4wQ3LfZHskrx0sz64 282h4+I+6pJ0PkruU44INkmU8TJrDBFl3eB5RN8Z8Lo0mmShIAwgvKDRkhGKnu7i ykISHqB8NBpKNV7HvGaCYM4fMGmI6G8BodGHUQnJvjdh8ZIJItbUizNRWH7A9jME dXsv0chZ1q/9SOtYiUWPkTMJXMN8SPDdN2s4PX1Nn2DgPq38w37l4YU5SiZRqcWy 8AGvOxX+z7xSsnTVwR8TgYwjZSFagcW7FX0KL/7duTyiFvb8idnqZA6K6aeoIOwa IxJ2FTa/uBiqC80uac+B3hPUpkds5v3bwXfNIirladwFr0uqc4/oHDS/0/oQJ7EY ZlkgZk4J7OIA8D2cYFcjw/V4jwOHlJl5Y2+fSsp6OofIx4Ix+94SjeteNG+/mVot 6NCve5q+ =LyT2 -----END PGP SIGNATURE-----
