On 11/23/2014 04:54 PM, Georgi Geshev wrote: > Package: activemq > Version: 5.6.0+dfsg-1 > > Apache ActiveMQ as packaged for Debian seems to ship with an old XStream > (1.4.2) library[1][2] which allows for instantiating arbitrary classes. > This could be leveraged for system command execution as demonstrated > against versions before 1.4.7.
Hello Georgi, Thank you for the bug report. Could you confirm that this bug report is for Debian stable (wheezy)? Debian testing has had xstream 1.4.7 since March of 2014. Therefore, I believe this is a security bug against the version of libxstream-java found in wheezy. Note that activemq ships a symlink to /usr/share/java/xstream.jar and not the JAR itself, which is installed by the libxstream-java package. If you need an immediate fix, you should be able to install a newer xstream [0] .deb (or symlink to another newer copy of xstream on your system). Thank you, tony [0] https://packages.qa.debian.org/libx/libxstream-java.html
signature.asc
Description: OpenPGP digital signature
