Bug#908950: activemq: CVE-2018-11775: ActiveMQ Client: Missing TLS Hostname Verification

Salvatore Bonaccorso carnil at debian.org
Sun Sep 16 15:32:26 BST 2018


Source: activemq
Version: 5.14.3-3
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for activemq.

CVE-2018-11775[0]:
| TLS hostname verification when using the Apache ActiveMQ Client before
| 5.15.6 was missing which could make the client vulnerable to a MITM
| attack between a Java application using the ActiveMQ client and the
| ActiveMQ server. This is now enabled by default.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11775
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
[1] http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list