Also, this fix will be included in 5.12.2 as well when that is released. On Wed, Dec 9, 2015 at 5:41 AM, Dejan Bosanac <de...@nighttale.net> wrote:
> Hi Tim, yes, it prevents untrusted classes deserializing inside the broker, > including when you want to look at them in the web console. > > Regards > -- > Dejan Bosanac > about.me/dejanb > > On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain <tb...@alumni.duke.edu> wrote: > > > The mitigation section simply says to upgrade to 5.13.0, which implies > that > > 5.13.0 fixes all categories of this problem, including webconsole. Is > that > > accurate? > > > > Tim > > On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <de...@nighttale.net> wrote: > > > > > Hi, > > > > > > this has just been announced with its own CVE-2015-5254. More info can > be > > > found at > > > > > > > > > http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt > > > > > > Regards > > > -- > > > Dejan Bosanac > > > about.me/dejanb > > > > > > On Tue, Dec 8, 2015 at 4:41 PM, iali <i...@arcsolutions.com> wrote: > > > > > > > Thanks Tim, > > > > > > > > I did had a look at that site and it has got a comprehensive > > explanation > > > > against this vulnerability. Also I have been having a discussion > under > > > > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013> and it > > seems > > > > that we can use CVE-2015-4852 based on comment in > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732 > > > > > > > > > > > > > > > > -- > > > > View this message in context: > > > > > > > > > > http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html > > > > Sent from the ActiveMQ - User mailing list archive at Nabble.com. > > > > > > > > > >
