[Bug 1291292] New: CVE-2015-5254 activemq: unsafe deserialization
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291292
Bug ID: 1291292
Summary: CVE-2015-5254 activemq: unsafe deserialization
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, agrimm(a)redhat.com,
aileenc(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dmcphers(a)redhat.com,
gvarsami(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jialiu(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lmeyer(a)redhat.com,
mmccomas(a)redhat.com, nwallace(a)redhat.com,
pavelp(a)redhat.com, puntogil(a)libero.it,
rwagner(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com, tkirby(a)redhat.com
JMS Object messages depends on Java Serialization for marshaling/unmashaling of
the message payload. There are a couple of places inside the broker where
deserialization can occur, like web console or stomp object message
transformation. As deserialization of untrusted data can leaed to security
flaws as demonstrated in various reports, this leaves the broker vunerable to
this attack vector. Additionally, applications that consume ObjectMessage type
of messages can be vunerable as they deserlize objects on
ObjectMessage.getObject() calls.
This issue was fixed upstream in Apache ActiveMQ 5.13.0. Additionally, when
using ObjectMessage message type, you need to explicitly list trusted packages.
To see how to do that, please take a look at:
http://activemq.apache.org/objectmessage.html
External References:
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announc...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=gmTDQZJf60&a=cc_unsubscribe
5 years, 11 months
[Bug 958733] New: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli
by Red Hat Bugzilla
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Bug ID: 958733
Summary: plexus-utils: suspicious shell quoting in
org.codehaus.plexus.util.cli
Product: Fedora
Version: 18
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
The shell quoting logic in this package (and the
org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears
to be mostly dead code. Client code should be migrated to
java.lang.ProcessBuilder.
The different quoting options (single quotes, double quotes) are difficult to
get right, and the reference to StringUtils is not particularly helpful because
the caller has to provide the correct set of characters to be escaped, which is
platform-dependent.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=JhGrfK5sg6&a=cc_unsubscribe
6 years, 3 months
[Bug 1098424] New: tycho: Java class bundling/"static linking"
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1098424
Bug ID: 1098424
Summary: tycho: Java class bundling/"static linking"
Product: Fedora
Version: rawhide
Component: tycho
Assignee: rgrunber(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mat.booth(a)redhat.com,
mizdebsk(a)redhat.com, rgrunber(a)redhat.com
Blocks: 1098237
tycho-0.20.0-6.fc21.noarch bundles many class files which are also available
from other Fedora packages. Here are a few examples:
/usr/share/java/tycho/org.eclipse.tycho.surefire.junit.jar contains
org/apache/maven/surefire/common/junit3/JUnit3Reflector, also part of
maven-surefire-provider-junit-0:2.17-1.fc21.noarch.
/usr/share/java/tycho/org.eclipse.tycho.surefire.junit4.jar contains
org/apache/maven/surefire/common/junit3/JUnit3TestChecker, also from
maven-surefire-provider-junit-0:2.17-1.fc21.noarch.
/usr/share/java/tycho/org.eclipse.tycho.surefire.osgibooter.jar contains the
class org/codehaus/plexus/util/AbstractScanner, which is part of
plexus-utils-3.0.16-2.fc21.noarch.
/usr/share/java/tycho/tycho-bundles-external.zip contains
org/apache/commons/logging/Log from
apache-commons-logging-1.1.3-11.fc21.noarch,
org/apache/commons/codec/BinaryDecoder from
apache-commons-codec-1.9-2.fc21.noarch, org/apache/http/auth/AUTH from
httpcomponents-client-4.3.3-1.fc21.noarch,
org/apache/http/ConnectionClosedException from
httpcomponents-core-4.3.2-1.fc21.noarch, org/sat4j/AbstractLauncher from
sat4j-2.3.5-3.fc21.noarch.
It seems that at least some of these class files are copied from build
dependencies into the JAR files of the tycho RPM. Such bundling/static linking
is against the Fedora packaging guidelines, specifically
<http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries>.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1098237
[Bug 1098237] Java "static linking"/class bundling in Fedora
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Ws5wsBGzEs&a=cc_unsubscribe
6 years, 4 months