[Git][java-team/activemq][stretch] Import Debian changes 5.14.3-3+deb9u2
Markus Koschany
gitlab at salsa.debian.org
Mon Mar 8 07:53:43 GMT 2021
Markus Koschany pushed to branch stretch at Debian Java Maintainers / activemq
Commits:
3985e0c5 by Abhijith PA at 2021-03-08T08:53:29+01:00
Import Debian changes 5.14.3-3+deb9u2
activemq (5.14.3-3+deb9u2) stretch-security; urgency=medium
..
* Non-maintainer upload by the LTS Security Team.
* Fix
- CVE-2017-15709: information leak.
- CVE-2018-11775: add TLS hostname verification and enable by
default.
- CVE-2021-26117: anonymous access context is used to verify a
valid users password in error.
- CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
broker Out of Memory exception making it unresponsive.
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/CVE-2017-15709.patch
- + debian/patches/CVE-2018-11775.patch
- + debian/patches/CVE-2021-26117.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+activemq (5.14.3-3+deb9u2) stretch-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix
+ - CVE-2017-15709: information leak.
+ - CVE-2018-11775: add TLS hostname verification and enable by
+ default.
+ - CVE-2021-26117: anonymous access context is used to verify a
+ valid users password in error.
+ - CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to
+ broker Out of Memory exception making it unresponsive.
+
+ -- Abhijith PA <abhijith at debian.org> Wed, 03 Mar 2021 21:48:29 +0530
+
activemq (5.14.3-3+deb9u1) stretch-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2017-15709.patch
=====================================
@@ -0,0 +1,200 @@
+From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Date: Tue, 2 Mar 2021 14:44:58 +0000
+Subject: CVE-2017-15709
+
+ Information leak.
+
+Author: Abhijith PA <abhijith at debian.org>
+Origin: https://github.com/apache/activemq/commit/d2e49be3a8f21d862726c1f6bc9e1caa6ee8b581
+Last-Update: 2021-02-24
+---
+ .../activemq/ActiveMQConnectionMetaData.java | 1 +
+ .../activemq/openwire/OpenWireFormatFactory.java | 15 ++-
+ .../openwire/WireFormatInfoPropertiesTest.java | 101 +++++++++++----------
+ 3 files changed, 68 insertions(+), 49 deletions(-)
+
+diff --git a/activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionMetaData.java b/activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionMetaData.java
+index ff6c38f..2c4ee2b 100755
+--- a/activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionMetaData.java
++++ b/activemq-client/src/main/java/org/apache/activemq/ActiveMQConnectionMetaData.java
+@@ -34,6 +34,7 @@ public final class ActiveMQConnectionMetaData implements ConnectionMetaData {
+ public static final int PROVIDER_MINOR_VERSION;
+ public static final String PROVIDER_NAME = "ActiveMQ";
+ public static final String PLATFORM_DETAILS;
++ public static final String DEFAULT_PLATFORM_DETAILS = "Java";
+
+ public static final ActiveMQConnectionMetaData INSTANCE = new ActiveMQConnectionMetaData();
+
+diff --git a/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormatFactory.java b/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormatFactory.java
+index ba6d643..83bd47a 100755
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormatFactory.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormatFactory.java
+@@ -44,8 +44,10 @@ public class OpenWireFormatFactory implements WireFormatFactory {
+ private String host=null;
+ private String providerName = ActiveMQConnectionMetaData.PROVIDER_NAME;
+ private String providerVersion = ActiveMQConnectionMetaData.PROVIDER_VERSION;
+- private String platformDetails = ActiveMQConnectionMetaData.PLATFORM_DETAILS;
++ private String platformDetails = ActiveMQConnectionMetaData.DEFAULT_PLATFORM_DETAILS;
++ private boolean includePlatformDetails = false;
+
++ @Override
+ public WireFormat createWireFormat() {
+ WireFormatInfo info = new WireFormatInfo();
+ info.setVersion(version);
+@@ -65,6 +67,9 @@ public class OpenWireFormatFactory implements WireFormatFactory {
+ }
+ info.setProviderName(providerName);
+ info.setProviderVersion(providerVersion);
++ if (includePlatformDetails) {
++ platformDetails = ActiveMQConnectionMetaData.PLATFORM_DETAILS;
++ }
+ info.setPlatformDetails(platformDetails);
+ } catch (Exception e) {
+ IllegalStateException ise = new IllegalStateException("Could not configure WireFormatInfo");
+@@ -190,4 +195,12 @@ public class OpenWireFormatFactory implements WireFormatFactory {
+ public void setPlatformDetails(String platformDetails) {
+ this.platformDetails = platformDetails;
+ }
++
++ public boolean isIncludePlatformDetails() {
++ return includePlatformDetails;
++ }
++
++ public void setIncludePlatformDetails(boolean includePlatformDetails) {
++ this.includePlatformDetails = includePlatformDetails;
++ }
+ }
+diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/openwire/WireFormatInfoPropertiesTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/openwire/WireFormatInfoPropertiesTest.java
+index 5c0608d..2eedd65 100644
+--- a/activemq-unit-tests/src/test/java/org/apache/activemq/openwire/WireFormatInfoPropertiesTest.java
++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/openwire/WireFormatInfoPropertiesTest.java
+@@ -25,7 +25,6 @@ import java.io.DataInputStream;
+ import java.io.DataOutputStream;
+ import java.io.IOException;
+ import java.net.URI;
+-import java.util.concurrent.atomic.AtomicReference;
+
+ import org.apache.activemq.ActiveMQConnection;
+ import org.apache.activemq.ActiveMQConnectionFactory;
+@@ -33,7 +32,8 @@ import org.apache.activemq.ActiveMQConnectionMetaData;
+ import org.apache.activemq.broker.BrokerService;
+ import org.apache.activemq.broker.TransportConnector;
+ import org.apache.activemq.command.WireFormatInfo;
+-import org.apache.activemq.transport.DefaultTransportListener;
++import org.junit.After;
++import org.junit.Before;
+ import org.junit.Test;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+@@ -42,36 +42,60 @@ public class WireFormatInfoPropertiesTest {
+
+ static final Logger LOG = LoggerFactory.getLogger(WireFormatInfoPropertiesTest.class);
+
+- protected BrokerService master;
+- protected String brokerUri;
++ private BrokerService service;
++ private String brokerUri;
++ private TransportConnector connector;
++
++ @Before
++ public void before() throws Exception {
++ service = new BrokerService();
++ connector = service.addConnector("tcp://localhost:0");
++ brokerUri = connector.getPublishableConnectString();
++ service.setPersistent(false);
++ service.setUseJmx(false);
++ service.setBrokerName("Master");
++ service.start();
++ service.waitUntilStarted();
++ }
++
++ @After
++ public void after() throws Exception {
++ if (service != null) {
++ service.stop();
++ service.waitUntilStopped();
++ }
++ }
+
+ @Test
+- public void testClientProperties() throws Exception{
+- BrokerService service = createBrokerService();
+- try {
+- ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
+- ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
+- final AtomicReference<WireFormatInfo> clientWf = new AtomicReference<WireFormatInfo>();
+- conn.addTransportListener(new DefaultTransportListener() {
+- @Override
+- public void onCommand(Object command) {
+- if (command instanceof WireFormatInfo) {
+- clientWf.set((WireFormatInfo)command);
+- }
+- }
+- });
+- conn.start();
+- if (clientWf.get() == null) {
+- fail("Wire format info is null");
+- }
+- assertTrue(clientWf.get().getProperties().containsKey("ProviderName"));
+- assertTrue(clientWf.get().getProperties().containsKey("ProviderVersion"));
+- assertTrue(clientWf.get().getProperties().containsKey("PlatformDetails"));
+- assertTrue(clientWf.get().getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
+- assertTrue(clientWf.get().getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
+- } finally {
+- stopBroker(service);
++ public void testClientPropertiesWithDefaultPlatformDetails() throws Exception{
++ WireFormatInfo clientWf = testClientProperties(brokerUri);
++ assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.DEFAULT_PLATFORM_DETAILS));
++ }
++
++ @Test
++ public void testClientPropertiesWithPlatformDetails() throws Exception{
++ WireFormatInfo clientWf = testClientProperties(brokerUri + "?wireFormat.includePlatformDetails=true");
++ assertTrue(clientWf.getPlatformDetails().equals(ActiveMQConnectionMetaData.PLATFORM_DETAILS));
++ }
++
++ private WireFormatInfo testClientProperties(String brokerUri) throws Exception {
++ ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(new URI(brokerUri));
++ ActiveMQConnection conn = (ActiveMQConnection)factory.createConnection();
++ conn.start();
++
++ assertTrue(connector.getConnections().size() == 1);
++ final WireFormatInfo clientWf = connector.getConnections().get(0).getRemoteWireFormatInfo();
++ if (clientWf == null) {
++ fail("Wire format info is null");
+ }
++
++ //verify properties that the client sends to the broker
++ assertTrue(clientWf.getProperties().containsKey("ProviderName"));
++ assertTrue(clientWf.getProperties().containsKey("ProviderVersion"));
++ assertTrue(clientWf.getProperties().containsKey("PlatformDetails"));
++ assertTrue(clientWf.getProviderName().equals(ActiveMQConnectionMetaData.PROVIDER_NAME));
++
++ return clientWf;
+ }
+
+ @Test
+@@ -100,23 +124,4 @@ public class WireFormatInfoPropertiesTest {
+ assertTrue(result.getPlatformDetails().equals(orig.getPlatformDetails()));
+ }
+
+- private BrokerService createBrokerService() throws Exception {
+- BrokerService service = new BrokerService();
+- TransportConnector connector = service.addConnector("tcp://localhost:0");
+- brokerUri = connector.getPublishableConnectString();
+- service.setPersistent(false);
+- service.setUseJmx(false);
+- service.setBrokerName("Master");
+- service.start();
+- service.waitUntilStarted();
+- return service;
+- }
+-
+- private void stopBroker(BrokerService service) throws Exception {
+- if (service != null) {
+- service.stop();
+- service.waitUntilStopped();
+- }
+- }
+-
+ }
=====================================
debian/patches/CVE-2018-11775.patch
=====================================
@@ -0,0 +1,410 @@
+From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Date: Tue, 2 Mar 2021 15:54:28 +0100
+Subject: CVE-2018-11775
+
+TLS hostname verification
+Origin: https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=bde7097fb8173cf871827df7811b3865679b963d
+ https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=02971a40e281713a8397d3a1809c164b594abfbb
+Last-Update: 2021-02-24
+---
+ .../activemq/transport/amqp/AmqpTestSupport.java | 6 ++--
+ .../transport/nio/AutoInitNioSSLTransport.java | 7 ++++
+ .../activemq/transport/nio/NIOSSLTransport.java | 16 +++++++++
+ .../activemq/transport/tcp/SslTransport.java | 41 ++++++++++++++++++++++
+ .../activemq/transport/tcp/SslTransportServer.java | 2 ++
+ .../activemq/transport/tcp/TcpTransport.java | 3 +-
+ .../activemq/transport/tcp/TcpTransportServer.java | 15 ++++++++
+ .../activemq/transport/stomp/StompSslAuthTest.java | 6 ++--
+ .../auto/AutoTransportConnectionsTest.java | 3 ++
+ .../activemq/transport/nio/NIOSSLBasicTest.java | 28 +++++++++++----
+ .../activemq/transport/nio/NIOSSLLoadTest.java | 3 +-
+ 11 files changed, 116 insertions(+), 14 deletions(-)
+
+diff --git a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
+index fd4accb..d7ce2ed 100644
+--- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
++++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
+@@ -189,7 +189,7 @@ public class AmqpTestSupport {
+ }
+ if (isUseSslConnector()) {
+ connector = brokerService.addConnector(
+- "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
++ "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+ amqpSslPort = connector.getConnectUri().getPort();
+ amqpSslURI = connector.getPublishableConnectURI();
+ LOG.debug("Using amqp+ssl port " + amqpSslPort);
+@@ -203,7 +203,7 @@ public class AmqpTestSupport {
+ }
+ if (isUseNioPlusSslConnector()) {
+ connector = brokerService.addConnector(
+- "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
++ "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+ amqpNioPlusSslPort = connector.getConnectUri().getPort();
+ amqpNioPlusSslURI = connector.getPublishableConnectURI();
+ LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);
+@@ -469,4 +469,4 @@ public class AmqpTestSupport {
+ .newProxyInstance(queueViewMBeanName, TopicViewMBean.class, true);
+ return proxy;
+ }
+-}
+\ No newline at end of file
++}
+diff --git a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
+index 449c7ae..9301b65 100644
+--- a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
++++ b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
+@@ -30,6 +30,7 @@ import javax.net.SocketFactory;
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLEngineResult;
++import javax.net.ssl.SSLParameters;
+
+ import org.apache.activemq.thread.TaskRunnerFactory;
+ import org.apache.activemq.util.IOExceptionSupport;
+@@ -89,6 +90,12 @@ public class AutoInitNioSSLTransport extends NIOSSLTransport {
+ sslEngine = sslContext.createSSLEngine();
+ }
+
++ if (verifyHostName) {
++ SSLParameters sslParams = new SSLParameters();
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ sslEngine.setSSLParameters(sslParams);
++ }
++
+ sslEngine.setUseClientMode(false);
+ if (enabledCipherSuites != null) {
+ sslEngine.setEnabledCipherSuites(enabledCipherSuites);
+diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
+index 64e96be..9d64101 100644
+--- a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
++++ b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
+@@ -35,6 +35,7 @@ import javax.net.SocketFactory;
+ import javax.net.ssl.SSLContext;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLEngineResult;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+ import javax.net.ssl.SSLPeerUnverifiedException;
+ import javax.net.ssl.SSLSession;
+@@ -56,6 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
+ protected boolean wantClientAuth;
+ protected String[] enabledCipherSuites;
+ protected String[] enabledProtocols;
++ protected boolean verifyHostName = false;
+
+ protected SSLContext sslContext;
+ protected SSLEngine sslEngine;
+@@ -119,6 +121,12 @@ public class NIOSSLTransport extends NIOTransport {
+ sslEngine = sslContext.createSSLEngine();
+ }
+
++ if (verifyHostName) {
++ SSLParameters sslParams = new SSLParameters();
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ sslEngine.setSSLParameters(sslParams);
++ }
++
+ sslEngine.setUseClientMode(false);
+ if (enabledCipherSuites != null) {
+ sslEngine.setEnabledCipherSuites(enabledCipherSuites);
+@@ -543,4 +551,12 @@ public class NIOSSLTransport extends NIOTransport {
+ public void setEnabledProtocols(String[] enabledProtocols) {
+ this.enabledProtocols = enabledProtocols;
+ }
++
++ public boolean isVerifyHostName() {
++ return verifyHostName;
++ }
++
++ public void setVerifyHostName(boolean verifyHostName) {
++ this.verifyHostName = verifyHostName;
++ }
+ }
+diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
+index 0c2fab9..0754f76 100644
+--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
++++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
+@@ -17,11 +17,14 @@
+ package org.apache.activemq.transport.tcp;
+
+ import java.io.IOException;
++import java.net.Socket;
++import java.net.SocketException;
+ import java.net.URI;
+ import java.net.UnknownHostException;
+ import java.security.cert.X509Certificate;
+ import java.util.HashMap;
+
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.SSLPeerUnverifiedException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -43,6 +46,8 @@ import org.apache.activemq.wireformat.WireFormat;
+ */
+ public class SslTransport extends TcpTransport {
+
++ private Boolean verifyHostName = null;
++
+ /**
+ * Connect to a remote node such as a Broker.
+ *
+@@ -73,6 +78,38 @@ public class SslTransport extends TcpTransport {
+ }
+ }
+
++ @Override
++ protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException {
++ //This needs to default to null because this transport class is used for both a server transport
++ //and a client connection and if we default it to a value it might override the transport server setting
++ //that was configured inside TcpTransportServer
++
++ //The idea here is that if this is a server transport then verifyHostName will be set by the setter
++ //below and not be null (if using transport.verifyHostName) but if a client uses socket.verifyHostName
++ //then it will be null and we can check socketOptions
++
++ //Unfortunately we have to do this to stay consistent because every other SSL option on the client
++ //side is configured using socket. but this particular option isn't actually part of the socket
++ //so it makes it tricky
++ if (verifyHostName == null) {
++ if (socketOptions != null && socketOptions.containsKey("verifyHostName")) {
++ verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
++ socketOptions.remove("verifyHostName");
++ } else {
++ //If null and not set then this is a client so default to true
++ verifyHostName = true;
++ }
++ }
++
++ if (verifyHostName) {
++ SSLParameters sslParams = new SSLParameters();
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ ((SSLSocket)this.socket).setSSLParameters(sslParams);
++ }
++
++ super.initialiseSocket(sock);
++ }
++
+ /**
+ * Initialize from a ServerSocket. No access to needClientAuth is given
+ * since it is already set within the provided socket.
+@@ -108,6 +145,10 @@ public class SslTransport extends TcpTransport {
+ super.doConsume(command);
+ }
+
++ public void setVerifyHostName(Boolean verifyHostName) {
++ this.verifyHostName = verifyHostName;
++ }
++
+ /**
+ * @return peer certificate chain associated with the ssl socket
+ */
+diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
+index bfd6318..5106e4f 100644
+--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
++++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
+@@ -100,6 +100,7 @@ public class SslTransportServer extends TcpTransportServer {
+ *
+ * @throws IOException passed up from TcpTransportServer.
+ */
++ @Override
+ public void bind() throws IOException {
+ super.bind();
+ if (needClientAuth) {
+@@ -119,6 +120,7 @@ public class SslTransportServer extends TcpTransportServer {
+ * @return The newly return (SSL) Transport.
+ * @throws IOException
+ */
++ @Override
+ protected Transport createTransport(Socket socket, WireFormat format) throws IOException {
+ return new SslTransport(format, (SSLSocket)socket);
+ }
+diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
+index 04d1636..e85cbaf 100755
+--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
++++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
+@@ -133,7 +133,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
+ protected final AtomicReference<CountDownLatch> stoppedLatch = new AtomicReference<CountDownLatch>();
+ protected volatile int receiveCounter;
+
+- private Map<String, Object> socketOptions;
++ protected Map<String, Object> socketOptions;
+ private int soLinger = Integer.MIN_VALUE;
+ private Boolean keepAlive;
+ private Boolean tcpNoDelay;
+@@ -751,6 +751,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
+ return true;
+ }
+
++ @Override
+ public WireFormat getWireFormat() {
+ return wireFormat;
+ }
+diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
+index 5d623b6..6060683 100755
+--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
++++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
+@@ -40,6 +40,7 @@ import java.util.concurrent.TimeUnit;
+ import java.util.concurrent.atomic.AtomicInteger;
+
+ import javax.net.ServerSocketFactory;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.SSLServerSocket;
+
+ import org.apache.activemq.Service;
+@@ -79,6 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
+ protected int minmumWireFormatVersion;
+ protected boolean useQueueForAccept = true;
+ protected boolean allowLinkStealing;
++ protected boolean verifyHostName = false;
+
+ /**
+ * trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
+@@ -171,6 +173,19 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
+ // see: https://issues.apache.org/jira/browse/AMQ-4582
+ //
+ if (socket instanceof SSLServerSocket) {
++ if (transportOptions.containsKey("verifyHostName")) {
++ verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
++ } else {
++ transportOptions.put("verifyHostName", verifyHostName);
++ }
++
++ if (verifyHostName) {
++ SSLParameters sslParams = new SSLParameters();
++ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
++ ((SSLServerSocket)this.serverSocket).setSSLParameters(sslParams);
++ }
++
++
+ if (transportOptions.containsKey("enabledCipherSuites")) {
+ Object cipherSuites = transportOptions.remove("enabledCipherSuites");
+
+diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
+index 9b4d1c4..03c24c4 100644
+--- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
++++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
+@@ -54,13 +54,13 @@ public class StompSslAuthTest extends StompTest {
+
+ @Override
+ public void addOpenWireConnector() throws Exception {
+- TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?needClientAuth=true");
+- cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString());
++ TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true");
++ cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
+ }
+
+ @Override
+ protected String getAdditionalConfig() {
+- return "?needClientAuth=true";
++ return "?needClientAuth=true&transport.verifyHostName=false";
+ }
+
+ // NOOP - These operations handled by jaas cert login module
+diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
+index 5bfbe72..e100b6c 100644
+--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
+@@ -105,6 +105,9 @@ public class AutoTransportConnectionsTest {
+ public void configureConnectorAndStart(String bindAddress) throws Exception {
+ connector = service.addConnector(bindAddress);
+ connectionUri = connector.getPublishableConnectString();
++ if (connectionUri.contains("ssl")) {
++ connectionUri += connectionUri.contains("?") ? "&socket.verifyHostName=false" : "?socket.verifyHostName=false";
++ }
+ service.start();
+ service.waitUntilStarted();
+ }
+diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
+index 473d785..6444d2c 100644
+--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
+@@ -17,14 +17,14 @@
+ package org.apache.activemq.transport.nio;
+
+ import javax.jms.Connection;
++import javax.jms.JMSException;
+ import javax.jms.Message;
+ import javax.jms.MessageConsumer;
+ import javax.jms.MessageProducer;
+ import javax.jms.Queue;
+ import javax.jms.Session;
+ import javax.jms.TextMessage;
+-
+-import junit.framework.TestCase;
++import javax.net.ssl.SSLHandshakeException;
+
+ import org.apache.activemq.ActiveMQConnectionFactory;
+ import org.apache.activemq.broker.BrokerService;
+@@ -33,6 +33,8 @@ import org.junit.After;
+ import org.junit.Before;
+ import org.junit.Test;
+
++import junit.framework.TestCase;
++
+ public class NIOSSLBasicTest {
+
+ public static final String KEYSTORE_TYPE = "jks";
+@@ -79,24 +81,38 @@ public class NIOSSLBasicTest {
+ @Test
+ public void basicConnector() throws Exception {
+ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true");
+- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
++ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
+ stopBroker(broker);
+ }
+
+ @Test
+ public void enabledCipherSuites() throws Exception {
+- BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
+- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
++ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
++ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
+ stopBroker(broker);
+ }
+
+ @Test
+ public void enabledProtocols() throws Exception {
+ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2");
+- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
++ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
+ stopBroker(broker);
+ }
+
++ //Client is missing verifyHostName=false so it should fail as cert doesn't have right host name
++ @Test(expected = Exception.class)
++ public void verifyHostNameErrorClient() throws Exception {
++ BrokerService broker = null;
++ try {
++ broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
++ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
++ } finally {
++ if (broker != null) {
++ stopBroker(broker);
++ }
++ }
++ }
++
+ public void basicSendReceive(String uri) throws Exception {
+ ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
+ Connection connection = factory.createConnection();
+diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
+index 4751c9f..0e50f44 100644
+--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
+@@ -74,7 +74,7 @@ public class NIOSSLLoadTest {
+ broker = new BrokerService();
+ broker.setPersistent(false);
+ broker.setUseJmx(false);
+- connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
++ connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
+ broker.start();
+ broker.waitUntilStarted();
+
+@@ -113,6 +113,7 @@ public class NIOSSLLoadTest {
+ }
+
+ Wait.waitFor(new Wait.Condition() {
++ @Override
+ public boolean isSatisified() throws Exception {
+ return getReceived() == PRODUCER_COUNT * MESSAGE_COUNT;
+ }
=====================================
debian/patches/CVE-2021-26117.patch
=====================================
@@ -0,0 +1,172 @@
+From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Date: Tue, 2 Mar 2021 16:40:36 +0100
+Subject: CVE-2021-26117
+
+ no check on the password
+
+Author: Abhijith PA <abhijith at debian.org>
+Origin: https://github.com/apache/activemq/commit/c9f68f4c64b2687eee283b95538753665d2b229b/
+Last-Update: 2021-02-25
+---
+ .../org/apache/activemq/jaas/LDAPLoginModule.java | 3 +-
+ .../apache/activemq/jaas/LDAPLoginModuleTest.java | 48 ++++++++++++++++++++--
+ activemq-jaas/src/test/resources/login.config | 36 ++++++++++++++++
+ 3 files changed, 83 insertions(+), 4 deletions(-)
+
+diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
+index f0834a0..0a56204 100644
+--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
++++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
+@@ -404,6 +404,7 @@ public class LDAPLoginModule implements LoginModule {
+ if (log.isDebugEnabled()) {
+ log.debug("Binding the user.");
+ }
++ context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
+ context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
+ context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
+ try {
+@@ -429,7 +430,7 @@ public class LDAPLoginModule implements LoginModule {
+ } else {
+ context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
+ }
+-
++ context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
+ return isValid;
+ }
+
+diff --git a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
+index ea2fb57..208dba2 100644
+--- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
++++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
+@@ -18,7 +18,6 @@ package org.apache.activemq.jaas;
+
+ import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+ import org.apache.directory.server.core.integ.FrameworkRunner;
+-import org.apache.directory.server.integ.ServerIntegrationUtils;
+ import org.apache.directory.server.ldap.LdapServer;
+ import org.apache.directory.server.annotations.CreateLdapServer;
+ import org.apache.directory.server.annotations.CreateTransport;
+@@ -34,11 +33,11 @@ import javax.naming.NamingEnumeration;
+ import javax.naming.directory.DirContext;
+ import javax.naming.directory.InitialDirContext;
+ import javax.security.auth.callback.*;
++import javax.security.auth.login.FailedLoginException;
+ import javax.security.auth.login.LoginContext;
+ import javax.security.auth.login.LoginException;
+
+ import java.io.IOException;
+-import java.net.URL;
+ import java.util.HashSet;
+ import java.util.Hashtable;
+
+@@ -47,7 +46,7 @@ import static org.junit.Assert.assertTrue;
+ import static org.junit.Assert.fail;
+
+ @RunWith ( FrameworkRunner.class )
+- at CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
++ at CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)}, allowAnonymousAccess = true)
+ @ApplyLdifFiles(
+ "test.ldif"
+ )
+@@ -172,4 +171,47 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
+ }
+
+
++ @Test
++ public void testAuthenticatedViaBindOnAnonConnection() throws Exception {
++ LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
++ @Override
++ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
++ for (int i = 0; i < callbacks.length; i++) {
++ if (callbacks[i] instanceof NameCallback) {
++ ((NameCallback) callbacks[i]).setName("first");
++ } else if (callbacks[i] instanceof PasswordCallback) {
++ ((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray());
++ } else {
++ throw new UnsupportedCallbackException(callbacks[i]);
++ }
++ }
++ }
++ });
++ try {
++ context.login();
++ fail("Should have failed authenticating");
++ } catch (FailedLoginException expected) {
++ }
++ }
++
++ @Test
++ public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception {
++ LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
++ @Override
++ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
++ for (int i = 0; i < callbacks.length; i++) {
++ if (callbacks[i] instanceof NameCallback) {
++ ((NameCallback) callbacks[i]).setName("first");
++ } else if (callbacks[i] instanceof PasswordCallback) {
++ ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
++ } else {
++ throw new UnsupportedCallbackException(callbacks[i]);
++ }
++ }
++ }
++ });
++ context.login();
++ context.logout();
++ }
++
+ }
+diff --git a/activemq-jaas/src/test/resources/login.config b/activemq-jaas/src/test/resources/login.config
+index dee62a5..b5e8cf8 100644
+--- a/activemq-jaas/src/test/resources/login.config
++++ b/activemq-jaas/src/test/resources/login.config
+@@ -30,6 +30,23 @@ PropertiesLoginReload {
+ org.apache.activemq.jaas.properties.group="groups.properties";
+ };
+
++EncryptedPropertiesLogin {
++ org.apache.activemq.jaas.PropertiesLoginModule required
++ debug=true
++ org.apache.activemq.jaas.properties.user="users-encrypted.properties"
++ org.apache.activemq.jaas.properties.group="groups.properties"
++ decrypt=true;
++};
++
++EncryptedAESPropertiesLogin {
++ org.apache.activemq.jaas.PropertiesLoginModule required
++ debug=true
++ org.apache.activemq.jaas.properties.user="users-encrypted-aes.properties"
++ org.apache.activemq.jaas.properties.group="groups.properties"
++ algorithm=PBEWITHHMACSHA1ANDAES_128
++ decrypt=true;
++};
++
+ LDAPLogin {
+ org.apache.activemq.jaas.LDAPLoginModule required
+ debug=true
+@@ -88,6 +105,25 @@ UnAuthenticatedLDAPLogin {
+ ;
+ };
+
++AnonBindCheckUserLDAPLogin {
++ org.apache.activemq.jaas.LDAPLoginModule required
++ debug=true
++ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
++ connectionURL="ldap://localhost:1024"
++ connectionUsername=none
++ connectionPassword=none
++ connectionProtocol=s
++ authentication=none
++ userBase="ou=system"
++ userSearchMatching="(uid={0})"
++ userSearchSubtree=false
++ roleBase="ou=system"
++ roleName=cn
++ roleSearchMatching="(member=uid={1},ou=system)"
++ roleSearchSubtree=false
++ ;
++};
++
+ ExpandedLDAPLogin {
+ org.apache.activemq.jaas.LDAPLoginModule required
+ debug=true
=====================================
debian/patches/series
=====================================
@@ -4,3 +4,6 @@ activemq-client-jar.patch
disable-broker-test-dependency.patch
CVE-2017-7559.patch
CVE-2020-13920.patch
+CVE-2017-15709.patch
+CVE-2018-11775.patch
+CVE-2021-26117.patch
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/commit/3985e0c58102246e2d5bf3916b9ba548055e5ae3
--
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/commit/3985e0c58102246e2d5bf3916b9ba548055e5ae3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210308/351eafe5/attachment.htm>
More information about the pkg-java-commits
mailing list