[Git][java-team/activemq][stretch] 6 commits: activemq: enable salsa-ci
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Feb 8 18:27:55 GMT 2025
Markus Koschany pushed to branch stretch at Debian Java Maintainers / activemq
Commits:
c2094b7e by Arturo Borrero Gonzalez at 2024-11-24T19:00:16+01:00
activemq: enable salsa-ci
Enable CI on salsa.d.o.
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
f6306b5e by Arturo Borrero Gonzalez at 2024-11-24T19:02:48+01:00
activemq: add patch to fix CVE-2022-41678
Add patch to fix CVE-2022-41678.
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
10bff278 by Arturo Borrero Gonzalez at 2024-11-24T19:03:48+01:00
d/patches/CVE-2022-41678.patch: quilt refresh it
Refresh offset.
Git-Dch: Ignore
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
eb6907ab by Arturo Borrero Gonzalez at 2024-11-24T19:49:06+01:00
activemq: add fix for CVE-2023-46604
Add fix for CVE-2023-46604.
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
383c0fe8 by Arturo Borrero Gonzalez at 2024-11-25T23:03:18+01:00
d/changelog: generate entry for 5.14.3-3+deb9u3 stretch-security
New changelog entry.
Git-Dch: Ignore
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
9372fe69 by Arturo Borrero Gonzalez at 2024-11-26T22:18:51+01:00
d/patches/CVE-2023-46604.patch: disable dependency
Disable dependency that maven cannot satisfy at build time, causing FTBFS.
Git-Dch: Ignore
Signed-off-by: Arturo Borrero Gonzalez <arturo at debian.org>
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/CVE-2022-41678.patch
- + debian/patches/CVE-2023-46604.patch
- debian/patches/series
- + debian/salsa-ci.yml
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+activemq (5.14.3-3+deb9u3) stretch-security; urgency=medium
+
+ * Non-maintainer upload by the ELTS Security Team.
+ * activemq: enable salsa-ci
+ * activemq: add patch to fix CVE-2022-41678
+ * activemq: add fix for CVE-2023-46604
+
+ -- Arturo Borrero Gonzalez <arturo at debian.org> Mon, 25 Nov 2024 23:02:24 +0100
+
activemq (5.14.3-3+deb9u2) stretch-security; urgency=medium
* Non-maintainer upload by the LTS Security Team.
=====================================
debian/patches/CVE-2022-41678.patch
=====================================
@@ -0,0 +1,65 @@
+Origin: https://github.com/apache/activemq/commit/5c8d457d9fcef194ea89f969b822850837143c5f
+
+From 5c8d457d9fcef194ea89f969b822850837143c5f Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon at gmail.com>
+Date: Wed, 1 Feb 2023 07:04:56 -0500
+Subject: [PATCH] AMQ-9201 - Update Jolokia default access configuration
+
+(cherry picked from commit 6120169e563b55323352431dfe9ac67a8b4de6c2)
+---
+ .../api/WEB-INF/classes/jolokia-access.xml | 34 ++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+--- a/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml
++++ b/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml
+@@ -17,9 +17,36 @@
+ -->
+ <restrict>
+
+- <!-- deny calling operations or getting attributes from these mbeans -->
++ <!-- By default don't allow write or exec operations -->
++ <commands>
++ <command>read</command>
++ <command>list</command>
++ <command>version</command>
++ <command>search</command>
++ </commands>
++
++ <allow>
++ <!-- Allow all operations for the broker itself -->
++ <mbean>
++ <name>org.apache.activemq:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
++ <!-- Allow all operations for Jolokia Config -->
++ <mbean>
++ <name>jolokia:type=Config</name>
++ <operation>*</operation>
++ </mbean>
++ </allow>
++
++ <!-- deny all operations or getting attributes from these mbeans -->
+ <deny>
+ <mbean>
++ <name>org.apache.logging.log4j2:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
++ <mbean>
+ <name>com.sun.management:type=DiagnosticCommand</name>
+ <attribute>*</attribute>
+ <operation>*</operation>
+@@ -29,6 +56,11 @@
+ <attribute>*</attribute>
+ <operation>*</operation>
+ </mbean>
++ <mbean>
++ <name>jdk.management.jfr:type=FlightRecorder</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
+ </deny>
+
+ </restrict>
+\ No newline at end of file
=====================================
debian/patches/CVE-2023-46604.patch
=====================================
@@ -0,0 +1,691 @@
+Origin: https://github.com/apache/activemq/commit/d0ccdd31544ada83185554c87c7aa141064020f0
+
+From d0ccdd31544ada83185554c87c7aa141064020f0 Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon at gmail.com>
+Date: Mon, 23 Oct 2023 18:24:38 -0400
+Subject: [PATCH] AMQ-9370 - Openwire marshaller should validate Throwable
+ class type
+
+(cherry picked from commit 3eaf3107f4fb9a3ce7ab45c175bfaeac7e866d5b)
+---
+ activemq-client/pom.xml | 11 ++
+ .../activemq/openwire/OpenWireUtil.java | 32 ++++
+ .../openwire/v1/BaseDataStreamMarshaller.java | 4 +
+ .../v10/BaseDataStreamMarshaller.java | 4 +
+ .../v11/BaseDataStreamMarshaller.java | 4 +
+ .../v12/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v9/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/OpenWireValidationTest.java | 166 ++++++++++++++++++
+ activemq-openwire-legacy/pom.xml | 12 ++
+ .../openwire/v2/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v3/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v4/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v5/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v6/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v7/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v8/BaseDataStreamMarshaller.java | 4 +
+ .../OpenWireLegacyValidationTest.java | 129 ++++++++++++++
+ pom.xml | 7 +
+ 18 files changed, 405 insertions(+)
+ create mode 100644 activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+ create mode 100644 activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+ create mode 100644 activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+
+--- a/activemq-client/pom.xml
++++ b/activemq-client/pom.xml
+@@ -252,6 +252,17 @@
+ </execution>
+ </executions>
+ </plugin>
++ <!-- generate the attached tests jar -->
++ <plugin>
++ <artifactId>maven-jar-plugin</artifactId>
++ <executions>
++ <execution>
++ <goals>
++ <goal>test-jar</goal>
++ </goals>
++ </execution>
++ </executions>
++ </plugin>
+ </plugins>
+ <pluginManagement>
+ <plugins>
+--- /dev/null
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+@@ -0,0 +1,32 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++public class OpenWireUtil {
++
++ /**
++ * Verify that the provided class extends {@link Throwable} and throw an
++ * {@link IllegalArgumentException} if it does not.
++ *
++ * @param clazz
++ */
++ public static void validateIsThrowable(Class<?> clazz) {
++ if (!Throwable.class.isAssignableFrom(clazz)) {
++ throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable");
++ }
++ }
++}
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
++++ b/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- /dev/null
++++ b/activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+@@ -0,0 +1,166 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import static org.junit.Assert.assertTrue;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.lang.reflect.Method;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.apache.activemq.command.CommandTypes;
++import org.apache.activemq.command.ExceptionResponse;
++import org.apache.activemq.util.ByteSequence;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++ at RunWith(Parameterized.class)
++public class OpenWireValidationTest {
++
++ protected final int version;
++
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Integer> versions = List.of(1, 9, 10, 11, 12);
++ List<Object[]> versionObjs = new ArrayList<>();
++ for (int i : versions) {
++ versionObjs.add(new Object[]{i});
++ }
++
++ // Sanity check to make sure the latest generated version is contained in the list
++ // This will make sure that we don't forget to update this test to include
++ // any future versions that are generated
++ assertTrue("List of Openwire versions does not include latest version",
++ versions.contains((int)CommandTypes.PROTOCOL_VERSION));
++
++ return versionObjs;
++ }
++
++ public OpenWireValidationTest(int version) {
++ this.version = version;
++ }
++
++ @Test
++ public void testOpenwireThrowableValidation() throws Exception {
++ // Create a format which will use loose encoding by default
++ // The code for handling exception creation is shared between both
++ // tight/loose encoding so only need to test 1
++ OpenWireFormat format = new OpenWireFormat();
++
++ // Override the marshaller map with a custom impl to purposely marshal a class type that is
++ // not a Throwable for testing the unmarshaller
++ Class<?> marshallerFactory = getMarshallerFactory();
++ Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class);
++ DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format);
++ map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller();
++ // This will trigger updating the marshaller from the marshaller map with the right version
++ format.setVersion(version);
++
++ // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall
++ // as the test marshaller should have encoded a class type that is not a Throwable
++ ExceptionResponse r = new ExceptionResponse();
++ r.setException(new Exception());
++ ByteSequence bss = format.marshal(r);
++ ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss);
++
++ assertTrue(response.getException() instanceof IllegalArgumentException);
++ assertTrue(response.getException().getMessage().contains("is not assignable to Throwable"));
++ }
++
++ static class NotAThrowable {
++ private String message;
++
++ public NotAThrowable(String message) {
++ this.message = message;
++ }
++
++ public NotAThrowable() {
++ }
++ }
++
++ private Class<?> getMarshallerFactory() throws ClassNotFoundException {
++ return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory");
++ }
++
++ // Create test marshallers for all non-legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 12:
++ return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 11:
++ return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 10:
++ return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 9:
++ return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 1:
++ return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+--- a/activemq-openwire-legacy/pom.xml
++++ b/activemq-openwire-legacy/pom.xml
+@@ -35,6 +35,19 @@
+ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-client</artifactId>
+ </dependency>
++
++ <!-- Debian ELTS: the following is disabled because it causes FTBFS -->
++ <!--dependency>
++ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency-->
++ <dependency>
++ <groupId>junit</groupId>
++ <artifactId>junit</artifactId>
++ <scope>test</scope>
++ </dependency>
+ </dependencies>
+
+ </project>
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- a/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
++++ b/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+--- /dev/null
++++ b/activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+@@ -0,0 +1,129 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling for legacy versions will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++ at RunWith(Parameterized.class)
++public class OpenWireLegacyValidationTest extends OpenWireValidationTest {
++
++
++ // Run through version 2 - 8 which are legacy
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Object[]> versions = new ArrayList<>();
++ for (int i = 2; i <= 8; i++) {
++ versions.add(new Object[]{i});
++ }
++ return versions;
++ }
++
++ public OpenWireLegacyValidationTest(int version) {
++ super(version);
++ }
++
++ // Create test marshallers for all legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 2:
++ return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 3:
++ return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 4:
++ return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 5:
++ return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 6:
++ return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 7:
++ return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 8:
++ return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+--- a/pom.xml
++++ b/pom.xml
+@@ -334,6 +334,13 @@
+ </dependency>
+ <dependency>
+ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <version>${project.version}</version>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency>
++ <dependency>
++ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-openwire-legacy</artifactId>
+ <version>${project.version}</version>
+ </dependency>
=====================================
debian/patches/series
=====================================
@@ -7,3 +7,5 @@ CVE-2020-13920.patch
CVE-2017-15709.patch
CVE-2018-11775.patch
CVE-2021-26117.patch
+CVE-2022-41678.patch
+CVE-2023-46604.patch
=====================================
debian/salsa-ci.yml
=====================================
@@ -0,0 +1,3 @@
+---
+include:
+ - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/stretch.yml
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3985e0c58102246e2d5bf3916b9ba548055e5ae3...9372fe6995dbd75472200da99ee3de9394801c57
--
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3985e0c58102246e2d5bf3916b9ba548055e5ae3...9372fe6995dbd75472200da99ee3de9394801c57
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250208/dfc0d483/attachment.htm>
More information about the pkg-java-commits
mailing list