activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r988958 - in /websites/production/activemq/content: cache/main.pageCache security-advisories.data/CVE-2016-3088-announcement.txt security-advisories.html
Date Mon, 23 May 2016 17:22:13 GMT
Author: buildbot
Date: Mon May 23 17:22:13 2016
New Revision: 988958

Log:
Production update by buildbot for activemq

Added:
    websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/security-advisories.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
==============================================================================
--- websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
(added)
+++ websites/production/activemq/content/security-advisories.data/CVE-2016-3088-announcement.txt
Mon May 23 17:22:13 2016
@@ -0,0 +1,26 @@
+CVE-2016-3088 - ActiveMQ Fileserver web application vulnerabilities
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Apache ActiveMQ 5.0.0 - 5.13.2
+
+Description:
+
+Multiple vulnerabilities have been identified in the Apache ActiveMQ Fileserver web application.
These are similar to those reported in CVE-2015-1830 and can allow attackers to replace web
application files with malicious code and perform remote code execution on the system.
+
+Mitigation:
+
+Fileserver feature will be completely removed starting with 5.14.0 release. Users are advised
to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web
application SHOULD NOT be used in older version of the broker and it should be disabled (it
has been disabled by default since 5.12.0). This can be done by removing (commenting out)
the following lines from conf\jetty.xml file
+
+<bean class="org.eclipse.jetty.webapp.WebAppContext">
+    <property name="contextPath" value="/fileserver" />
+    <property name="resourceBase" value="${activemq.home}/webapps/fileserver" />
+    <property name="logUrlOnStart" value="true" />
+    <property name="parentLoaderPriority" value="true" />
+</bean>
+
+Credit:
+This issue was discovered by separated reports of Simon Zuckerbraun and Andrea Micalizzi
(rgod) of Trend Micro Zero Day Initiative
\ No newline at end of file

Modified: websites/production/activemq/content/security-advisories.html
==============================================================================
--- websites/production/activemq/content/security-advisories.html (original)
+++ websites/production/activemq/content/security-advisories.html Mon May 23 17:22:13 2016
@@ -72,7 +72,7 @@
   <tbody>
         <tr>
         <td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache
ActiveMQ</h2><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&amp;modificationDate=1457613666000&amp;api=v2"
data-linked-resource-id="62687061" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0734-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2016-0734</a>&#160;-&#160;ActiveMQ
Web Console - Clickjacking</li><li><a shape="rect" href="security-advisories.data/CVE-2016-0782-announcement.txt?version=1&amp;modificationDate=1457613720014&amp;api=v2"
data-linked-resource-id="62687062" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0782-announce
 ment.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2016-0782</a>&#160;-&#160;ActiveMQ
Web Console - Cross-Site Scripting</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&amp;modificationDate=1449589734000&amp;api=v2"
data-linked-resource-id="61331741" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5254-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2015-5254</a> -&#160;Unsafe deserialization
in ActiveMQ</li><li><a shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&amp;modificationDate=1440426986000&amp;api=v2"
data-linked-resou
 rce-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2015-1830</a> - Path traversal leading
to unauthenticated RCE in ActiveMQ&#160;</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&amp;modificationDate=1446901063000&amp;api=v2"
data-linked-resource-id="61327457" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3576-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3576</a> -&#160;Remote Unauthenticated
Shutdown of Br
 oker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&amp;modificationDate=1423051306000&amp;api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3600</a>&#160;-&#160;Apache
ActiveMQ XXE with XPath selectors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&amp;modificationDate=1423051365000&amp;api=v2"
data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957
 " data-linked-resource-container-version="9">CVE-2014-3612</a> -&#160;ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&amp;modificationDate=1423051381000&amp;api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-8110</a> -&#160;<span
style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span
style="line-height: 1.4285715;"><br clear="none"></span></li></ul><h2
id="SecurityAdvisories-ActiveMQApollo"><span style="line-height: 1.4285715;">ActiveMQ
Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span style="line-heigh
 t: 1.4285715;">2014</span></h3><ul><li><span style="line-height:
1.4285715;"><span style="line-height: 1.4285715;">&#160;</span></span><a
shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&amp;modificationDate=1423054118000&amp;api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="9">CVE-2014-3579</a><span style="line-height:
1.4285715;"> -&#160;ActiveMQ Apollo XXE with XPath selectors</span></li></ul><p><span
style="line-height: 1.4285715;">&#160;</span></p></div>
+<div class="wiki-content maincontent"><h2 id="SecurityAdvisories-ApacheActiveMQ">Apache
ActiveMQ</h2><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2016-0734-announcement.txt?version=1&amp;modificationDate=1457613666000&amp;api=v2"
data-linked-resource-id="62687061" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0734-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-0734</a>&#160;-&#160;ActiveMQ
Web Console - Clickjacking</li><li><a shape="rect" href="security-advisories.data/CVE-2016-0782-announcement.txt?version=2&amp;modificationDate=1458229308000&amp;api=v2"
data-linked-resource-id="62687062" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-0782-announc
 ement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-0782</a>&#160;-&#160;ActiveMQ
Web Console - Cross-Site Scripting</li><li><a shape="rect" href="security-advisories.data/CVE-2016-3088-announcement.txt?version=4&amp;modificationDate=1464022661036&amp;api=v2"
data-linked-resource-id="63406525" data-linked-resource-version="4" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-3088-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2016-3088</a> -&#160;ActiveMQ
Fileserver web application vulnerabilities</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2015-5254-announcement.txt?version=1&amp;modificationDate=1449589734000&amp;api=v
 2" data-linked-resource-id="61331741" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5254-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2015-5254</a> -&#160;Unsafe deserialization
in ActiveMQ</li><li><a shape="rect" href="security-advisories.data/CVE-2015-1830-announcement.txt?version=2&amp;modificationDate=1440426986000&amp;api=v2"
data-linked-resource-id="61313840" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-1830-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2015-1830</a> - Path traversal leading
to unauthenticated RCE in ActiveMQ&#160;</li></ul><h3 id="SecurityAdviso
 ries-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-3576-announcement.txt?version=1&amp;modificationDate=1446901063000&amp;api=v2"
data-linked-resource-id="61327457" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3576-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3576</a> -&#160;Remote Unauthenticated
Shutdown of Broker (DoS)</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3600-announcement.txt?version=2&amp;modificationDate=1423051306000&amp;api=v2"
data-linked-resource-id="52035730" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3600-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-
 id="51808957" data-linked-resource-container-version="10">CVE-2014-3600</a>&#160;-&#160;Apache
ActiveMQ XXE with XPath selectors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3612-announcement.txt?version=2&amp;modificationDate=1423051365000&amp;api=v2"
data-linked-resource-id="52035731" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3612-announcement.txt" data-nice-type="Text File"
data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3612</a> -&#160;ActiveMQ
JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-8110-announcement.txt?version=2&amp;modificationDate=1423051381000&amp;api=v2"
data-linked-resource-id="52035732" data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-reso
 urce-default-alias="CVE-2014-8110-announcement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="51808957" data-linked-resource-container-version="10">CVE-2014-8110</a>
-&#160;<span style="line-height: 1.4285715;">ActiveMQ Web Console - Cross-Site Scripting</span><span
style="line-height: 1.4285715;"><br clear="none"></span></li></ul><h2
id="SecurityAdvisories-ActiveMQApollo"><span style="line-height: 1.4285715;">ActiveMQ
Apollo</span></h2><h3 id="SecurityAdvisories-2014.1"><span style="line-height:
1.4285715;">2014</span></h3><ul><li><span style="line-height:
1.4285715;"><span style="line-height: 1.4285715;">&#160;</span></span><a
shape="rect" href="security-advisories.data/CVE-2014-3579-announcement.txt?version=1&amp;modificationDate=1423054118000&amp;api=v2"
data-linked-resource-id="52035737" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3579-anno
 uncement.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="51808957"
data-linked-resource-container-version="10">CVE-2014-3579</a><span style="line-height:
1.4285715;"> -&#160;ActiveMQ Apollo XXE with XPath selectors</span></li></ul><p><span
style="line-height: 1.4285715;">&#160;</span></p></div>
         </td>
         <td valign="top">
           <div class="navigation">



Mime
View raw message