Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
Georgi Geshev
georgi.geshev at mwrinfosecurity.com
Tue Dec 2 16:31:00 UTC 2014
Hello Tony,
You are right, XStream 1.4.2 is only packaged for stable, testing and unstable ship 1.4.7. Backporting the security fix or upgrading the stable version is still something to consider though.
Thanks,
G.
________________________________________
From: tony mancill <tmancill at debian.org>
Sent: Monday, November 24, 2014 5:36 AM
To: Georgi Geshev; 770780 at bugs.debian.org
Subject: Re: Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
On 11/23/2014 04:54 PM, Georgi Geshev wrote:
> Package: activemq
> Version: 5.6.0+dfsg-1
>
> Apache ActiveMQ as packaged for Debian seems to ship with an old XStream
> (1.4.2) library[1][2] which allows for instantiating arbitrary classes.
> This could be leveraged for system command execution as demonstrated
> against versions before 1.4.7.
Hello Georgi,
Thank you for the bug report. Could you confirm that this bug report is
for Debian stable (wheezy)? Debian testing has had xstream 1.4.7 since
March of 2014. Therefore, I believe this is a security bug against the
version of libxstream-java found in wheezy.
Note that activemq ships a symlink to /usr/share/java/xstream.jar and
not the JAR itself, which is installed by the libxstream-java package.
If you need an immediate fix, you should be able to install a newer
xstream [0] .deb (or symlink to another newer copy of xstream on your
system).
Thank you,
tony
[0] https://packages.qa.debian.org/libx/libxstream-java.html
More information about the pkg-java-maintainers
mailing list