Hi Tim, yes, it prevents untrusted classes deserializing inside the broker, including when you want to look at them in the web console.
Regards -- Dejan Bosanac about.me/dejanb On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain <tb...@alumni.duke.edu> wrote: > The mitigation section simply says to upgrade to 5.13.0, which implies that > 5.13.0 fixes all categories of this problem, including webconsole. Is that > accurate? > > Tim > On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <de...@nighttale.net> wrote: > > > Hi, > > > > this has just been announced with its own CVE-2015-5254. More info can be > > found at > > > > > http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt > > > > Regards > > -- > > Dejan Bosanac > > about.me/dejanb > > > > On Tue, Dec 8, 2015 at 4:41 PM, iali <i...@arcsolutions.com> wrote: > > > > > Thanks Tim, > > > > > > I did had a look at that site and it has got a comprehensive > explanation > > > against this vulnerability. Also I have been having a discussion under > > > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it > seems > > > that we can use CVE-2015-4852 based on comment in > > > > > > > > > > > > https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732 > > > > > > > > > > > > -- > > > View this message in context: > > > > > > http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html > > > Sent from the ActiveMQ - User mailing list archive at Nabble.com. > > > > > >
