Package: activemq / 5.6.0+dfsg1-4+deb8u3

Metadata

Package Version Patches format
activemq 5.6.0+dfsg1-4+deb8u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
drop_derby_use.diff | (download)

activemq-core/src/main/java/org/apache/activemq/store/jdbc/DataSourceSupport.java | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 drop usage of derby inside 
 activemq-core/src/main/java/org/apache/activemq/store/jdbc/DataSourceSupport.java
disable_some_modules.diff | (download)

pom.xml | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 only enable some modules for now
exclude_geronimo_jca.diff | (download)

activemq-pool/pom.xml | 15 15 + 0 - 0 !
activemq-spring/src/main/java/org/apache/activemq/pool/PooledConnectionFactoryBean.java | 4 2 + 2 - 0 !
2 files changed, 17 insertions(+), 2 deletions(-)

 disabled usage of geronimo jca provider
 because its not yet in Debian.
exclude_spring_osgi.diff | (download)

activemq-spring/src/main/java/org/apache/activemq/hooks/SpringContextHook.java | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 disable spring osgi support
 because it's not yet in Debian.
javadoc_links.diff | (download)

activemq-core/pom.xml | 2 1 + 1 - 0 !
pom.xml | 16 8 + 8 - 0 !
2 files changed, 9 insertions(+), 9 deletions(-)

 use javadoc installed system-wide for html links.
init_debian_default_values.diff | (download)

assembly/src/release/bin/activemq | 65 21 + 44 - 0 !
1 file changed, 21 insertions(+), 44 deletions(-)

 init script for activemq : use default values compliant with
 Debian installation.
 ACTIVEMQ_HOME=/usr/share/activemq
 ACTIVEMQ_BASE="/var/lib/activemq"
 ACTIVEMQ_CONFIG_DIR="/etc/activemq"
 ACTIVEMQ_PIDFILE="/var/run/activemq.pid"
 JAVA_HOME="/usr/lib/jvm/java-6-openjdk/"
 Create data directory and chown to $ACTIVEMQ_USER
activemq admin.patch | (download)

assembly/src/release/bin/activemq-admin | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix running activemq-admin without any argument
 which led to "132: [: =: unexpected operator".
exclude_mqtt.diff | (download)

activemq-core/pom.xml | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 disable mqtt transport (new feature of 5.6 release)
 because it depends on non-existing library in Debian.
exclude_leveldb.diff | (download)

activemq-core/pom.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable leveldb store (new feature of 5.6 release)
 because it depends on non-existing library in Debian.
CVE 2014 3600.patch | (download)

activemq-core/src/main/java/org/apache/activemq/filter/XPathExpression.java | 57 55 + 2 - 0 !
activemq-core/src/main/java/org/apache/activemq/filter/XalanXPathEvaluator.java | 67 25 + 42 - 0 !
activemq-optional/src/main/java/org/apache/activemq/filter/JAXPXPathEvaluator.java | 12 8 + 4 - 0 !
3 files changed, 88 insertions(+), 48 deletions(-)

 fix cve-2014-3600: xml external entity expansion when evaluating xpath expressions.
 This patch can be removed after upgrading to ActiveMQ 5.10.1 or later.
CVE 2014 3612.patch | (download)

activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java | 8 6 + 2 - 0 !
activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java | 2 1 + 1 - 0 !
activemq-core/src/test/resources/login.config | 19 19 + 0 - 0 !
activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java | 11 8 + 3 - 0 !
activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java | 27 27 + 0 - 0 !
activemq-jaas/src/test/resources/login.config | 19 19 + 0 - 0 !
activemq-unit-tests/src/test/java/org/apache/activemq/security/LDAPAuthenticationTest.java | 83 83 + 0 - 0 !
activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-ldap-auth.xml | 46 46 + 0 - 0 !
8 files changed, 209 insertions(+), 6 deletions(-)

 fix cve-2014-3612: activemq jaas: ldaploginmodule allows empty password authentication.
 This patch can be removed after upgrading to ActiveMQ 5.10.1 or later.
CVE 2014 3576.patch | (download)

activemq-core/src/main/java/org/apache/activemq/broker/TransportConnection.java | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 fix for cve-2014-3576: dos via unauthenticated remote shutdown command 
CVE 2015 5254.patch | (download)

activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java | 5 3 + 2 - 0 !
activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java | 47 47 + 0 - 0 !
activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java | 48 44 + 4 - 0 !
activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java | 29 28 + 1 - 0 !
activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java | 4 2 + 2 - 0 !
5 files changed, 124 insertions(+), 9 deletions(-)

 cve-2015-5254

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be
serialized in the broker, which allows remote attackers to execute arbitrary
code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

CVE 2015 7559.patch | (download)

activemq-core/src/main/java/org/apache/activemq/ActiveMQConnection.java | 18 0 + 18 - 0 !
1 file changed, 18 deletions(-)

 cve-2015-7559

Bug-Debian: https://bugs.debian.org/860866
Bug-Upstream: https://issues.apache.org/jira/browse/AMQ-6470