Return-Path: X-Original-To: apmail-activemq-commits-archive@www.apache.org Delivered-To: apmail-activemq-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A20BF193D9 for ; Thu, 10 Mar 2016 12:24:38 +0000 (UTC) Received: (qmail 98991 invoked by uid 500); 10 Mar 2016 12:24:36 -0000 Delivered-To: apmail-activemq-commits-archive@activemq.apache.org Received: (qmail 98958 invoked by uid 500); 10 Mar 2016 12:24:36 -0000 Mailing-List: contact commits-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list commits@activemq.apache.org Received: (qmail 98934 invoked by uid 99); 10 Mar 2016 12:24:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Mar 2016 12:24:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id E31D2C03E9 for ; Thu, 10 Mar 2016 12:24:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.471 X-Spam-Level: * X-Spam-Status: No, score=1.471 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.329] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id i21bjr-ynNWK for ; Thu, 10 Mar 2016 12:24:35 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id C40255F640 for ; Thu, 10 Mar 2016 12:24:34 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 2ED05E0185 for ; Thu, 10 Mar 2016 12:24:33 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 05FCC3A0318 for ; Thu, 10 Mar 2016 12:24:34 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r982387 - in /websites/production/activemq/content/security-advisories.data: CVE-2016-0734-announcement.txt CVE-2016-0782-announcement.txt Date: Thu, 10 Mar 2016 12:24:33 -0000 To: commits@activemq.apache.org From: cshannon@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20160310122434.05FCC3A0318@svn01-us-west.apache.org> Author: cshannon Date: Thu Mar 10 12:24:33 2016 New Revision: 982387 Log: Adding CVE announcements Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt ============================================================================== --- websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt (added) +++ websites/production/activemq/content/security-advisories.data/CVE-2016-0734-announcement.txt Thu Mar 10 12:24:33 2016 @@ -0,0 +1,19 @@ +CVE-2016-0734: ActiveMQ Web Console - Clickjacking + +Severity: Important + +Vendor: +The Apache Software Foundation + +Versions Affected: +Apache ActiveMQ 5.0.0 - 5.13.1 + +Description: +The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console. + + +Mitigation: +Upgrade to Apache ActiveMQ 5.13.2 + +Credit: +This issue was discovered by Michael Furman Added: websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt ============================================================================== --- websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt (added) +++ websites/production/activemq/content/security-advisories.data/CVE-2016-0782-announcement.txt Thu Mar 10 12:24:33 2016 @@ -0,0 +1,19 @@ +CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting + +Severity: Important + +Vendor: +The Apache Software Foundation + +Versions Affected: +Apache ActiveMQ 5.0.0 - 5.13.1 + +Description: +Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia. + + +Mitigation: +Upgrade to Apache ActiveMQ 5.11.4, 5.12.3, or 5.13.2 + +Credit: +This issue was discovered by Vladimir Ivanov (Positive Technologies)