+++ This bug was initially created as a clone of Bug #12934 +++ RedHat has issued an advisory on March 3: https://rhn.redhat.com/errata/RHSA-2014-0245.html It is not clear what any of the vulnerabilities listed have to do with the activemq package listed in the advisory. CVE-2013-4152 is for springframework, and we already fixed that one. CVE-2013-4330 and CVE-2013-0003 are for something called "Apache Camel" which I don't believe we have packaged and can't immediately see the relation to activemq. CVE-2013-2035 is for a Java class embedded in jansi, jline2, and jruby, all of which may require updates. Reproducible: Steps to Reproduce:
It looks like the actual activemq issues are listed in this advisory from July 9, 2013: https://rhn.redhat.com/errata/RHSA-2013-1029.html It appears that they are fixed upstream in 5.8.0 and that they have not been addressed in Fedora either. If this package is unmaintained, it should be dropped (in both distros). As for jansi/jline2/jruby, it looks like the *binary* versions of those are affected as they bundle each other (jruby bundles jline2 which bundles jansi which bundles the affected hawtjni), but the source versions don't actually bundle the affected code. So, what we really have here is CVE-2013-2035 for hawtjni, which we do have packaged. It was fixed upstream in 1.8, so only Mageia 3 is affected.
Assignee: bugsquad => dmorganecDepends on: 12934 => (none)Source RPM: hawtjni-1.6-1.mga3.src.rpm => activemq-5.6.0-12.mga5.src.rpmWhiteboard: (none) => MGA4TOO, MGA3TOO
I've split this bug out to handle the activemq issues. See the advisory linked in Comment 1. Most likely the only solution is dropping this package (not required by anything else).
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOCC: (none) => mageiaVersion: Cauldron => 4
Actually, CVE-2013-1879 and CVE-2013-1880 were fixed in 5.9.0, and CVE-2012-6092, CVE-2012-6551, and CVE-2013-3060 were fixed in 5.8.0. Dropping Mageia 3 from the whiteboard due to EOL.
Severity: normal => critical
Whiteboard: MGA3TOO => (none)
CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 are fixed in 5.11.0: http://openwall.com/lists/oss-security/2015/02/05/7 http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt
CVE-2014-3576 CVE-2014-3612 CVE-2014-3600: http://lwn.net/Vulnerabilities/654059/ Debian has issued an advisory for this on August 7: https://www.debian.org/security/2015/dsa-3330
CVE-2015-1830: http://openwall.com/lists/oss-security/2015/08/17/2 Fixed in 5.11.2 and 5.12.0.
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 5. Closing this as OLD.
Status: NEW => RESOLVEDResolution: (none) => OLD
CVE-2015-6524, fixed in 5.10.1: http://lwn.net/Vulnerabilities/659274/
CVE-2016-0734 and CVE-2016-0782, fixed in 5.13.2: http://openwall.com/lists/oss-security/2016/03/10/11 http://openwall.com/lists/oss-security/2016/03/10/10