Bug 14377

Summary: activemq possible security vulnerabilities
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: D Morgan <dmorganec>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mageia
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589236/
Whiteboard:
Source RPM: activemq-5.6.0-12.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-10-26 16:19:06 CET 
+++ This bug was initially created as a clone of Bug #12934 +++

RedHat has issued an advisory on March 3:
https://rhn.redhat.com/errata/RHSA-2014-0245.html

It is not clear what any of the vulnerabilities listed have to do with the activemq package listed in the advisory.

CVE-2013-4152 is for springframework, and we already fixed that one.

CVE-2013-4330 and CVE-2013-0003 are for something called "Apache Camel" which I don't believe we have packaged and can't immediately see the relation to activemq.

CVE-2013-2035 is for a Java class embedded in jansi, jline2, and jruby, all of which may require updates.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-10-26 16:20:22 CET 
It looks like the actual activemq issues are listed in this advisory from July 9, 2013:
https://rhn.redhat.com/errata/RHSA-2013-1029.html

It appears that they are fixed upstream in 5.8.0 and that they have not been addressed in Fedora either.  If this package is unmaintained, it should be dropped (in both distros).

As for jansi/jline2/jruby, it looks like the *binary* versions of those are affected as they bundle each other (jruby bundles jline2 which bundles jansi which bundles the affected hawtjni), but the source versions don't actually bundle the affected code.

So, what we really have here is CVE-2013-2035 for hawtjni, which we do have packaged.  It was fixed upstream in 1.8, so only Mageia 3 is affected.

Assignee: bugsquad => dmorganec
Depends on: 12934 => (none)
Source RPM: hawtjni-1.6-1.mga3.src.rpm => activemq-5.6.0-12.mga5.src.rpm
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-10-26 16:21:24 CET 
I've split this bug out to handle the activemq issues.  See the advisory linked in Comment 1.  Most likely the only solution is dropping this package (not required by anything else).
Comment 3 Sander Lepik 2014-11-22 15:58:27 CET 
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
CC: (none) => mageia
Version: Cauldron => 4

Comment 4 David Walser 2014-12-27 23:19:10 CET 
Actually, CVE-2013-1879 and CVE-2013-1880 were fixed in 5.9.0, and CVE-2012-6092, CVE-2012-6551, and CVE-2013-3060 were fixed in 5.8.0.

Dropping Mageia 3 from the whiteboard due to EOL.

Severity: normal => critical

David Walser 2014-12-27 23:19:22 CET

Whiteboard: MGA3TOO => (none)

Comment 6 David Walser 2015-08-10 19:03:17 CEST 
CVE-2014-3576 CVE-2014-3612 CVE-2014-3600:
http://lwn.net/Vulnerabilities/654059/

Debian has issued an advisory for this on August 7:
https://www.debian.org/security/2015/dsa-3330
Comment 7 David Walser 2015-08-18 00:00:48 CEST 
CVE-2015-1830:
http://openwall.com/lists/oss-security/2015/08/17/2

Fixed in 5.11.2 and 5.12.0.
Comment 8 David Walser 2015-09-02 17:36:25 CEST 
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 9 David Walser 2015-10-05 23:05:06 CEST 
CVE-2015-6524, fixed in 5.10.1:
http://lwn.net/Vulnerabilities/659274/
Comment 10 David Walser 2016-03-10 16:03:20 CET 
CVE-2016-0734 and CVE-2016-0782, fixed in 5.13.2:
http://openwall.com/lists/oss-security/2016/03/10/11
http://openwall.com/lists/oss-security/2016/03/10/10