Sorry, please don't respond to that message on-list; please provide any response to secur...@activemq.apache.org.
On Sep 27, 2016 9:31 PM, "Tim Bain" <tb...@alumni.duke.edu> wrote: > Benjamin, did your comment indicate that you have reproduced the > vulnerability in 5.14.0, even though it includes a version of Jetty that > Chris indicates should be unaffected? > > Tim > > On Sep 27, 2016 9:52 AM, "Christopher Shannon" < > christopher.l.shan...@gmail.com> wrote: > >> First, for security vulnerabilities please follow this guide in the future >> http://www.apache.org/security/committers.html >> >> Second, the version that is bundled with ActiveMQ 5.14.0 is version >> 9.2.13.v20150730 and the vulnerability was fixed in version 9.2.9 so there >> should not be an issue. >> >> On Tue, Sep 27, 2016 at 10:55 AM, beku <benjamin.ku...@siemens.com> >> wrote: >> >> > Hi everybody, >> > >> > it seems the Jetty server bundled with the latest activemq release >> (5.14.0) >> > is prone to the jetleak vulnerability mentioned in CVE-2015-2080 and >> here: >> > >> > https://blog.gdssecurity.com/labs/2015/2/25/jetleak- >> > vulnerability-remote-leakage-of-shared-buffers-in-je.html >> > >> > When exploiting the issue mentioned, the whole activemq instance seems >> to >> > crash sometimes. >> > This is especially cumbersome when you are on a large network and your >> > production activemq instances are constantly crashed by "vulnerability >> > scanners"... >> > >> > Is this already known by the devs and will there be an update to >> activemq >> > with a non vulnerable version of jetty? >> > >> > Many Thanks, >> > Benjamin >> > >> > >> > >> > -- >> > View this message in context: http://activemq.2283324.n4. >> > nabble.com/Activemq-bundled-Jetty-Jetleak-vulnerability-tp4717035.html >> > Sent from the ActiveMQ - User mailing list archive at Nabble.com. >> > >> >
