Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
tony mancill
tmancill at debian.org
Mon Nov 24 05:36:00 UTC 2014
On 11/23/2014 04:54 PM, Georgi Geshev wrote:
> Package: activemq
> Version: 5.6.0+dfsg-1
>
> Apache ActiveMQ as packaged for Debian seems to ship with an old XStream
> (1.4.2) library[1][2] which allows for instantiating arbitrary classes.
> This could be leveraged for system command execution as demonstrated
> against versions before 1.4.7.
Hello Georgi,
Thank you for the bug report. Could you confirm that this bug report is
for Debian stable (wheezy)? Debian testing has had xstream 1.4.7 since
March of 2014. Therefore, I believe this is a security bug against the
version of libxstream-java found in wheezy.
Note that activemq ships a symlink to /usr/share/java/xstream.jar and
not the JAR itself, which is installed by the libxstream-java package.
If you need an immediate fix, you should be able to install a newer
xstream [0] .deb (or symlink to another newer copy of xstream on your
system).
Thank you,
tony
[0] https://packages.qa.debian.org/libx/libxstream-java.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141123/f283d4ec/attachment.sig>
More information about the pkg-java-maintainers
mailing list