[Git][java-team/activemq][bullseye] 2 commits: d/control: Add libjavassist-java as build dependency. It is needed for the patch.

Mon Jun 16 20:33:17 BST 2025


Emmanuel Arias pushed to branch bullseye at Debian Java Maintainers / activemq


Commits:
9daf4684 by Emmanuel Arias at 2025-06-16T16:32:35-03:00
d/control: Add libjavassist-java as build dependency. It is needed for the patch.

- - - - -
8473f04f by Emmanuel Arias at 2025-06-16T16:33:06-03:00
Fix CVE-2025-27533.patch, no d/changelog entry needed

- - - - -


3 changed files:

- debian/changelog
- debian/control
- debian/patches/CVE-2025-27533.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -5,6 +5,8 @@ activemq (5.16.1-1+deb11u2) bullseye-security; urgency=high
     unmarshalling of OpenWire commands. The size value of buffers was not
     properly validated which could lead to excessive memory allocation
     and be exploited to cause a denial of service (Closes: #1104933).
+    - d/control: Add libjavassist-java as build dependency. It is needed for
+    the patch.
 
  -- Emmanuel Arias <eamanu at debian.org>  Fri, 13 Jun 2025 07:36:16 -0300
 


=====================================
debian/control
=====================================
@@ -38,6 +38,7 @@ Build-Depends:
  libjackson2-databind-java,
  libjasypt-java (>= 1.9.3),
  libjavacc-maven-plugin-java,
+ libjavassist-java,
  libjaxb-java,
  libjdom1-java (>= 1.0),
  libjettison-java,


=====================================
debian/patches/CVE-2025-27533.patch
=====================================
@@ -105,7 +105,7 @@ the overall frame size
  
 --- a/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormat.java
 +++ b/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireFormat.java
-@@ -48,7 +48,7 @@
+@@ -48,25 +48,35 @@
      private static final int MARSHAL_CACHE_SIZE = Short.MAX_VALUE / 2;
      private static final int MARSHAL_CACHE_FREE_SPACE = 100;
  
@@ -114,7 +114,12 @@ the overall frame size
      private int version;
      private boolean stackTraceEnabled;
      private boolean tcpNoDelayEnabled;
-@@ -60,13 +60,22 @@
+     private boolean cacheEnabled;
+     private boolean tightEncodingEnabled;
+     private boolean sizePrefixDisabled;
++    private boolean maxFrameSizeEnabled = true;
+     private long maxFrameSize = DEFAULT_MAX_FRAME_SIZE;
+ 
      // The following fields are used for value caching
      private short nextMarshallCacheIndex;
      private short nextMarshallCacheEvictionIndex;
@@ -140,7 +145,7 @@ the overall frame size
      public OpenWireFormat() {
          this(DEFAULT_STORE_VERSION);
      }
-@@ -183,26 +192,23 @@
+@@ -183,26 +193,22 @@
      @Override
      public synchronized Object unmarshal(ByteSequence sequence) throws IOException {
          bytesIn.restart(sequence);
@@ -170,7 +175,6 @@ the overall frame size
 +        } finally {
 +            // After we unmarshal we can clear the context
 +            marshallingContext.remove();
-+           }
          }
 -
 -        Object command = doUnmarshal(bytesIn);
@@ -225,7 +229,18 @@ the overall frame size
          byte dataType = dis.readByte();
          if (dataType != NULL_TYPE) {
              DataStreamMarshaller dsm = dataMarshallers[dataType & 0xFF];
-@@ -671,4 +680,47 @@
+@@ -605,6 +614,10 @@
+         this.maxFrameSize = maxFrameSize;
+     }
+ 
++    public boolean isMaxFrameSizeEnabled() {
++        return maxFrameSizeEnabled;
++    }
++
+     public void renegotiateWireFormat(WireFormatInfo info) throws IOException {
+ 
+         if (preferedWireFormatInfo == null) {
+@@ -671,4 +684,47 @@
          }
          return version2;
      }
@@ -275,11 +290,12 @@ the overall frame size
  }
 --- a/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
 +++ b/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
-@@ -15,10 +15,55 @@
+@@ -15,10 +15,56 @@
   * limitations under the License.
   */
  package org.apache.activemq.openwire;
 +import java.io.IOException;
++import org.apache.activemq.util.IOExceptionSupport;
  
  public class OpenWireUtil {
  



View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/712ee7ba137cb253d447da1aaf3d959d0149a914...8473f04fdc8d6d59752a994a28fef55ad8520858

-- 
View it on GitLab: https://salsa.debian.org/java-team/activemq/-/compare/712ee7ba137cb253d447da1aaf3d959d0149a914...8473f04fdc8d6d59752a994a28fef55ad8520858
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250616/dfa52c7b/attachment.htm>
