[Git][java-team/activemq][master] 4 commits: CVE-2025-27533: Avoid memory allocation with excessive size value during...

Emmanuel Arias (@eamanu) gitlab at salsa.debian.org
Mon Jun 2 16:37:39 BST 2025 


Emmanuel Arias pushed to branch master at Debian Java Maintainers / activemq


Commits:
622badd3 by Emmanuel Arias at 2025-05-29T16:30:23-03:00
CVE-2025-27533: Avoid memory allocation with excessive size value during unmarshalling of OpenWire commands. The size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (Closes: #1104933).

* CVE-2025-27533: Avoid memory allocation with excessive size value during
  unmarshalling of OpenWire commands. The size value of buffers was not
  properly validated which could lead to excessive memory allocation
  and be exploited to cause a denial of service (Closes: #1104933).
  - d/control: Add libjavassist-java as build dependency. It is needed for
  the patch.

- - - - -
7177adc0 by Emmanuel Arias at 2025-05-31T19:59:03-03:00
prepare for release

- - - - -
1026777d by Emmanuel Arias at 2025-06-02T12:34:35-03:00
d/control: Add myself as uploaders.

- - - - -
70d67518 by Emmanuel Arias at 2025-06-02T12:35:06-03:00
prepare for release as Uploader

- - - - -


4 changed files:

- debian/changelog
- debian/control
- debian/patches/series
- + debian/patches/validate-size-of-buffers-during-unmarshalling.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -1,10 +1,19 @@
-activemq (5.17.6+dfsg-2) UNRELEASED; urgency=medium
+activemq (5.17.6+dfsg-2) unstable; urgency=medium
 
-  * Team upload
+  [ Pierre Gruet ]
   * Removing the patch about missing Maven artifact as libxstream-java now
     properly declares the classpath of its jar
 
- -- Pierre Gruet <pgt at debian.org>  Tue, 08 Oct 2024 21:34:03 +0200
+  [Emmanuel Arias]
+  * CVE-2025-27533: Avoid memory allocation with excessive size value during
+    unmarshalling of OpenWire commands. The size value of buffers was not
+    properly validated which could lead to excessive memory allocation
+    and be exploited to cause a denial of service (Closes: #1104933).
+    - d/control: Add libjavassist-java as build dependency. It is needed for
+    the patch.
+  * d/control: Add myself as uploaders.
+
+ -- Emmanuel Arias <eamanu at debian.org>  Thu, 29 May 2025 16:29:53 -0300
 
 activemq (5.17.6+dfsg-1) unstable; urgency=medium
 


=====================================
debian/control
=====================================
@@ -3,7 +3,8 @@ Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
 Uploaders:
- Damien Raude-Morvan <drazzib at debian.org>
+ Damien Raude-Morvan <drazzib at debian.org>,
+ Emmanuel Arias <eamanu at debian.org>
 Build-Depends:
  ant,
  debhelper-compat (= 13),
@@ -39,6 +40,7 @@ Build-Depends:
  libjackson2-databind-java,
  libjasypt-java (>= 1.9.3),
  libjavacc-maven-plugin-java,
+ libjavassist-java,
  libjaxb-java,
  libjdom1-java (>= 1.0),
  libjettison-java,


=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@ activemq-client-jar.patch
 disable-broker-test-dependency.patch
 java11.patch
 enable-activemq-jdbc-store-module.patch
+validate-size-of-buffers-during-unmarshalling.patch


=====================================
debian/patches/validate-size-of-buffers-during-unmarshalling.patch
=====================================
The diff for this file was not included because it is too large.


View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3d9d960aee89e6e61f118b1f639411bfa5617b48...70d675187a31ceb7c2e90eb81ae720da13baa40b

-- 
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/3d9d960aee89e6e61f118b1f639411bfa5617b48...70d675187a31ceb7c2e90eb81ae720da13baa40b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250602/5fe2ae5a/attachment.htm>

More information about the pkg-java-commits mailing list