[Git][java-team/activemq][master] 4 commits: CVE-2025-27533: Avoid memory allocation with excessive size value during...
Emmanuel Arias (@eamanu)
gitlab at salsa.debian.org
Mon Jun 2 16:37:39 BST 2025
Emmanuel Arias pushed to branch master at Debian Java Maintainers / activemq
Commits:
622badd3 by Emmanuel Arias at 2025-05-29T16:30:23-03:00
CVE-2025-27533: Avoid memory allocation with excessive size value during unmarshalling of OpenWire commands. The size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (Closes: #1104933).
* CVE-2025-27533: Avoid memory allocation with excessive size value during
unmarshalling of OpenWire commands. The size value of buffers was not
properly validated which could lead to excessive memory allocation
and be exploited to cause a denial of service (Closes: #1104933).
- d/control: Add libjavassist-java as build dependency. It is needed for
the patch.
- - - - -
7177adc0 by Emmanuel Arias at 2025-05-31T19:59:03-03:00
prepare for release
- - - - -
1026777d by Emmanuel Arias at 2025-06-02T12:34:35-03:00
d/control: Add myself as uploaders.
- - - - -
70d67518 by Emmanuel Arias at 2025-06-02T12:35:06-03:00
prepare for release as Uploader
- - - - -
4 changed files:
- debian/changelog
- debian/control
- debian/patches/series
- + debian/patches/validate-size-of-buffers-during-unmarshalling.patch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,10 +1,19 @@
-activemq (5.17.6+dfsg-2) UNRELEASED; urgency=medium
+activemq (5.17.6+dfsg-2) unstable; urgency=medium
- * Team upload
+ [ Pierre Gruet ]
* Removing the patch about missing Maven artifact as libxstream-java now
properly declares the classpath of its jar
- -- Pierre Gruet <pgt at debian.org> Tue, 08 Oct 2024 21:34:03 +0200
+ [Emmanuel Arias]
+ * CVE-2025-27533: Avoid memory allocation with excessive size value during
+ unmarshalling of OpenWire commands. The size value of buffers was not
+ properly validated which could lead to excessive memory allocation
+ and be exploited to cause a denial of service (Closes: #1104933).
+ - d/control: Add libjavassist-java as build dependency. It is needed for
+ the patch.
+ * d/control: Add myself as uploaders.
+
+ -- Emmanuel Arias <eamanu at debian.org> Thu, 29 May 2025 16:29:53 -0300
activemq (5.17.6+dfsg-1) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -3,7 +3,8 @@ Section: java
Priority: optional
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Uploaders:
- Damien Raude-Morvan <drazzib at debian.org>
+ Damien Raude-Morvan <drazzib at debian.org>,
+ Emmanuel Arias <eamanu at debian.org>
Build-Depends:
ant,
debhelper-compat (= 13),
@@ -39,6 +40,7 @@ Build-Depends:
libjackson2-databind-java,
libjasypt-java (>= 1.9.3),
libjavacc-maven-plugin-java,
+ libjavassist-java,
libjaxb-java,
libjdom1-java (>= 1.0),
libjettison-java,
=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@ activemq-client-jar.patch
disable-broker-test-dependency.patch
java11.patch
enable-activemq-jdbc-store-module.patch
+validate-size-of-buffers-during-unmarshalling.patch
=====================================
debian/patches/validate-size-of-buffers-during-unmarshalling.patch
=====================================
The diff for this file was not included because it is too large.
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3d9d960aee89e6e61f118b1f639411bfa5617b48...70d675187a31ceb7c2e90eb81ae720da13baa40b
--
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3d9d960aee89e6e61f118b1f639411bfa5617b48...70d675187a31ceb7c2e90eb81ae720da13baa40b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250602/5fe2ae5a/attachment.htm>
More information about the pkg-java-commits
mailing list