[activemq] 03/04: Fixed CVE-2014-3576 (Closes: #792857)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Aug 7 21:39:48 UTC 2015 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch wheezy
in repository activemq.

commit 66f2c6040322ff17c8450cb834254ffdc28e9ad8
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Aug 3 21:31:23 2015 +0200

    Fixed CVE-2014-3576 (Closes: #792857)
---
 debian/changelog                   |  2 ++
 debian/patches/CVE-2014-3576.patch | 15 +++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 18 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 167ee02..6413504 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ activemq (5.6.0+dfsg-1+deb7u1) unstable; urgency=high
     - CVE-2014-3612: JAAS LDAPLoginModule allows empty password authentication
     - CVE-2014-3600: XML External Entity expansion when evaluating XPath
       expressions
+  * Fixed CVE-2014-3576: DoS via unauthenticated remote shutdown command
+    (Closes: #792857)
 
  -- Emmanuel Bourg <ebourg at apache.org>  Fri, 21 Nov 2014 13:12:01 +0100
 
diff --git a/debian/patches/CVE-2014-3576.patch b/debian/patches/CVE-2014-3576.patch
new file mode 100644
index 0000000..1082882
--- /dev/null
+++ b/debian/patches/CVE-2014-3576.patch
@@ -0,0 +1,15 @@
+Description: Fix for CVE-2014-3576: DoS via unauthenticated remote shutdown command 
+Origin: backport, https://github.com/apache/activemq/commit/00921f2
+--- a/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnection.java
++++ b/activemq-core/src/main/java/org/apache/activemq/broker/TransportConnection.java
+@@ -1408,10 +1408,6 @@
+     }
+ 
+     public Response processControlCommand(ControlCommand command) throws Exception {
+-        String control = command.getCommand();
+-        if (control != null && control.equals("shutdown")) {
+-            System.exit(0);
+-        }
+         return null;
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 3ab28cb..febce4e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ exclude_mqtt.diff
 exclude_leveldb.diff
 CVE-2014-3600.patch
 CVE-2014-3612.patch
+CVE-2014-3576.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/activemq.git

More information about the pkg-java-commits mailing list