Date: Fri, 25 Mar 2016 17:04:02 +0000 (UTC) From: Tom Judge <tj@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r411865 - head/security/vuxml Message-ID: <201603251704.u2PH42Ic021789@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tj Date: Fri Mar 25 17:04:02 2016 New Revision: 411865 URL: https://svnweb.freebsd.org/changeset/ports/411865 Log: Document multipule activemq vulnerabilities: CVE-2016-0782 - ActiveMQ Web Console - Cross-Site Scripting CVE-2016-0734 - ActiveMQ Web Console - Clickjacking CVE-2015-5254 - Unsafe deserialization in ActiveMQ PR: 208163 PR: 208193 Security: CVE-2015-5254 Security: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt Security: CVE-2016-0782 Security: http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt Security: CVE-2016-0734 Security: http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Mar 25 17:00:23 2016 (r411864) +++ head/security/vuxml/vuln.xml Fri Mar 25 17:04:02 2016 (r411865) @@ -58,6 +58,98 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Unsafe deserialization</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"> + <p>JMS Object messages depends on Java Serialization for + marshaling/unmashaling of the message payload. There are a couple of places + inside the broker where deserialization can occur, like web console or stomp + object message transformation. As deserialization of untrusted data can leaed to + security flaws as demonstrated in various reports, this leaves the broker + vunerable to this attack vector. Additionally, applications that consume + ObjectMessage type of messages can be vunerable as they deserlize objects on + ObjectMessage.getObject() calls.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url> + <cvename>CVE-2015-5254</cvename> + </references> + <dates> + <discovery>2016-01-08</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + + <vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Web Console Clickjacking</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michael Furman reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt"> + <p>The web based administration console does not set the + X-Frame-Options header in HTTP responses. This allows the console to be embedded + in a frame or iframe which could then be used to cause a user to perform an + unintended action in the console.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url> + <cvename>CVE-2016-0734</cvename> + </references> + <dates> + <discovery>2016-03-10</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + + <vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Web Console Cross-Site Scripting</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Vladimir Ivanov (Positive Technologies) reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt"> + <p>Several instances of cross-site scripting vulnerabilities were + identified to be present in the web based administration console as well as the + ability to trigger a Java memory dump into an arbitrary folder. The root cause + of these issues are improper user data output validation and incorrect + permissions configured on Jolokia.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url> + <cvename>CVE-2016-0782</cvename> + </references> + <dates> + <discovery>2016-03-10</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + <vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8"> <topic>pcre -- stack buffer overflow</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603251704.u2PH42Ic021789>