Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 45764200B0E for ; Tue, 24 May 2016 14:17:55 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 444B7160A30; Tue, 24 May 2016 12:17:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 87199160A31 for ; Tue, 24 May 2016 14:17:54 +0200 (CEST) Received: (qmail 24507 invoked by uid 500); 24 May 2016 12:17:53 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 24440 invoked by uid 99); 24 May 2016 12:17:52 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 May 2016 12:17:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 9300B1A04B9; Tue, 24 May 2016 12:17:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.03 X-Spam-Level: ** X-Spam-Status: No, score=2.03 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id nmXTaMOlsYp8; Tue, 24 May 2016 12:17:50 +0000 (UTC) Received: from mail-vk0-f42.google.com (mail-vk0-f42.google.com [209.85.213.42]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 5F26360E50; Tue, 24 May 2016 12:17:49 +0000 (UTC) Received: by mail-vk0-f42.google.com with SMTP id r140so18746809vkf.0; Tue, 24 May 2016 05:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:cc; bh=5EYYrwPBLBWSQgtIfkmd4cpCVpJpbA3JNt6urRuQTvU=; b=Ay9L6bgPnRRcXe0ABFZv41JW06Z5e6Ml0ZrC7rMhLXD1q2Vh0CjaOeen72X0RRTPbA 1tENEFbpuK4weTXuOJAcjysvp+K//87Spn/eK6V8mkZ8/8GXXaxMbnlaI353u8NJc0ME 9fxWQbSkKEnL98zjOQPoCrGB5jmVY6qOk6TaUTGqnd1oX69PMLrUtNMxIivaVH7sWVhp T7o4LoELwAodOZSX8HzmXcNOBDSm8VTEkJ5G0rZfXn9N716B+9RzklJb/puNGrN7HzPX 9QUJACRnA8ev9GDl+s7xD93MP9aKwGb4WlRt/mu8/y43lPngKftNd9nSzCZGJglM/yvp as1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:cc; bh=5EYYrwPBLBWSQgtIfkmd4cpCVpJpbA3JNt6urRuQTvU=; b=lfYSwqAdlMGd4K2x63gSBq2GnCYGhGF1bN5lg2Gbvqz0PemU+eDVNQMG4wUpFcGekB I8HHybbkzUCdi4Hyu0LN3hesk2jAjN3Pa5rVPnjv2UthgV9Zy+JuEVnHxvtzj8BX2bH0 Y3JDtQ3zJ7pxPh2hKqUVG03rMriHxSiCJMemDMWhI+aZbMQ8VcnYg2qtuqkp60WhzbgA 2qy/ZXSVy82CcxlTRZsTPhopE0laHKkxGy9DcngpGc3Sbpc2XCKGu2Z5qOMx/x34gu+y Z5BhGEmQAz5Im+ScjB1i+A9LM0r8Ztr0jEYjcHYgiootD3uNCccgOHswarY/kLeQgizJ Rucg== X-Gm-Message-State: ALyK8tLcNnHPLuk1agSp2zhGFG2wLHbZGpTpv0lGhmL4H9ZRtpJH9VR2/IfyyIWF/5MsfQL1r6iGFCpm3BficQ== MIME-Version: 1.0 X-Received: by 10.176.64.198 with SMTP id i64mr2249888uad.121.1464092268402; Tue, 24 May 2016 05:17:48 -0700 (PDT) Sender: chubrilo@gmail.com Received: by 10.31.94.148 with HTTP; Tue, 24 May 2016 05:17:48 -0700 (PDT) Date: Tue, 24 May 2016 14:17:48 +0200 X-Google-Sender-Auth: EHkhz2Krr9nhLNP7SZAAMS8NuqA Message-ID: Subject: Re: [ANNOUNCE] CVE-2016-3088: ActiveMQ Fileserver web application vulnerabilities From: Dejan Bosanac To: "users@activemq.apache.org" Cc: "dev@activemq.apache.org" , Apache Security Response Team , bugtraq@securityfocus.com, oss-security@lists.openwall.com Content-Type: multipart/alternative; boundary=94eb2c047c5893a2570533958b9f archived-at: Tue, 24 May 2016 12:17:55 -0000 --94eb2c047c5893a2570533958b9f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Tim, it=E2=80=99s an omission. The feature will be completely removed with 5.14.= 0 and it=E2=80=99s been disabled by default since 5.12.0, so 5.13.x broker that h= aven=E2=80=99t this feature turn on explicitly are not vulnerable. I=E2=80=99ll fix the announcement now to say 5.13.x so it=E2=80=99s future = proof in case of new 5.13 branch releases Regards -- Dejan Bosanac about.me/dejanb On Tue, May 24, 2016 at 2:09 PM, Tim Bain wrote: > Does the range of versions specified mean that the issue is already > addressed in 5.13.3, or was its omission from the range an oversight? > > Tim > On May 24, 2016 2:41 AM, "Dejan Bosanac" wrote: > > > There's a security vulnerability reported against Apache > > ActiveMQ 5.13.2 and older versions. > > > > Please check the following document and see if you=E2=80=99re affected = by the > > issue. > > > > > > > http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announc= ement.txt > > > > Vulnerability is similar to the one reported in CVE-2015-1830 ( > > > > > http://activemq.apache.org/security-advisories.data/CVE-2015-1830-announc= ement.txt > > ). > > The fileserver web application will be removed in 5.14.0 release and > users > > are advised not to use it and disable it in older versions. > > > > Regards > > -- > > Dejan Bosanac > > about.me/dejanb > > > --94eb2c047c5893a2570533958b9f--