Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0AA27200AC0 for ; Tue, 24 May 2016 14:09:41 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 08D93160A2F; Tue, 24 May 2016 12:09:41 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4AAA3160A01 for ; Tue, 24 May 2016 14:09:40 +0200 (CEST) Received: (qmail 10399 invoked by uid 500); 24 May 2016 12:09:39 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 10314 invoked by uid 99); 24 May 2016 12:09:38 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 May 2016 12:09:38 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 57A5CC0608; Tue, 24 May 2016 12:09:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.28 X-Spam-Level: ** X-Spam-Status: No, score=2.28 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 4KQ8XCbPWIoG; Tue, 24 May 2016 12:09:36 +0000 (UTC) Received: from mail-vk0-f53.google.com (mail-vk0-f53.google.com [209.85.213.53]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 024E16122B; Tue, 24 May 2016 12:09:35 +0000 (UTC) Received: by mail-vk0-f53.google.com with SMTP id c189so18411844vkb.1; Tue, 24 May 2016 05:09:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=lXWML3xA/ZOfxvGyZbG6PzcbtrY8A/8HVmT475tiesw=; b=ay6+E3D6A3S3WTExIKGGJJlJKdOGW8Yms4uBMhJQvnpJD5gg2ETB7xpN85hAHfkk56 RKnlLOQJYnIeqyXejnlAm94rR/I5ojf+qVZP1rlgsmVDhsm92otmgisTm9gWUwLZTajf r1ss9yKYBppXotKnTUMgjE2blTykuv9ypBJ4nMi4i7GI/lN0JImF/GF2yVbwP2tJLwCg w9NLIRcH5I/OTlUoy1ioJm2rMwhh6kEkEFqO2+I+pMZ42DIZtVZK/rLgDQEvfNJw87Uv RL9o35mB+u/9j64mNUG7gKzxq8cuo/mLgRg+Lkushdtn4Nax8ifJxN/6QrcJtgYjP1Vy Zkrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=lXWML3xA/ZOfxvGyZbG6PzcbtrY8A/8HVmT475tiesw=; b=ms88514Cgy729yfFQxdnoACnGavpIGqww+V5eNDda545Sy9EO07ZN5dJyV3p7HCy9b jFRdl99/01FTBIF+mZjp5AxFhMi27tHFcnq2gm2aNYo7ZnyIxcSvl+HumyEPPuClaLbW WfoI25pyvqzr/rrfOJLuiirK19rGntmUsBIEErbzkcc6hdeK3UdfHO6AGxeLM5/dz6p5 tWW6VE2sr0CiGFMNQJeNoYjwdoHB7bFI8t+g3SWVR6OB/CMXPo1tiiERCFWjc5SwIUMQ 8Z8Yv6ORsgs+sfUzF1fw07iRiKkRGe0e2FXt/KKRqNPgQj9m4sBaiLM3Sjq9nQcKxVrq CCbQ== X-Gm-Message-State: ALyK8tIS1Ij886FoV2H5INbG5wKVSCLaIkCrKiht/JLUCPkdtfGfeFcgq3KEXDJu/ZRs99or6RefoBUTEMk7Xg== MIME-Version: 1.0 X-Received: by 10.176.5.194 with SMTP id e60mr2161054uae.37.1464091775231; Tue, 24 May 2016 05:09:35 -0700 (PDT) Sender: tbain98@gmail.com Received: by 10.103.112.6 with HTTP; Tue, 24 May 2016 05:09:35 -0700 (PDT) Received: by 10.103.112.6 with HTTP; Tue, 24 May 2016 05:09:35 -0700 (PDT) In-Reply-To: References: Date: Tue, 24 May 2016 06:09:35 -0600 X-Google-Sender-Auth: Hl23171YfHWPcCuX4EfZIRe33qY Message-ID: Subject: =?UTF-8?Q?Re=3A_=5BANNOUNCE=5D_CVE=2D2016=2D3088=3A_ActiveMQ_Fileserver_we?= =?UTF-8?Q?b_application_vulnerabilities=EF=BB=BF?= From: Tim Bain To: ActiveMQ Users Cc: dev@activemq.apache.org, Apache Security Response Team , bugtraq@securityfocus.com, oss-security@lists.openwall.com Content-Type: multipart/alternative; boundary=94eb2c1233342ed5650533956ed0 archived-at: Tue, 24 May 2016 12:09:41 -0000 --94eb2c1233342ed5650533956ed0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Does the range of versions specified mean that the issue is already addressed in 5.13.3, or was its omission from the range an oversight? Tim On May 24, 2016 2:41 AM, "Dejan Bosanac" wrote: > There's a security vulnerability reported against Apache > ActiveMQ 5.13.2 and older versions. > > Please check the following document and see if you=E2=80=99re affected by= the > issue. > > > http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announc= ement.txt > > Vulnerability is similar to the one reported in CVE-2015-1830 ( > > http://activemq.apache.org/security-advisories.data/CVE-2015-1830-announc= ement.txt > ). > The fileserver web application will be removed in 5.14.0 release and user= s > are advised not to use it and disable it in older versions. > > Regards > -- > Dejan Bosanac > about.me/dejanb > --94eb2c1233342ed5650533956ed0--