Bug#908950: activemq: CVE-2018-11775: ActiveMQ Client: Missing TLS Hostname Verification
Salvatore Bonaccorso
carnil at debian.org
Sun Sep 16 15:32:26 BST 2018
Source: activemq
Version: 5.14.3-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for activemq.
CVE-2018-11775[0]:
| TLS hostname verification when using the Apache ActiveMQ Client before
| 5.15.6 was missing which could make the client vulnerable to a MITM
| attack between a Java application using the ActiveMQ client and the
| ActiveMQ server. This is now enabled by default.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
[1] http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list