activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Java_December vulnerability
Date Wed, 09 Dec 2015 10:41:06 GMT
Hi Tim, yes, it prevents untrusted classes deserializing inside the broker,
including when you want to look at them in the web console.

Regards
--
Dejan Bosanac
about.me/dejanb

On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain <tbain@alumni.duke.edu> wrote:

> The mitigation section simply says to upgrade to 5.13.0, which implies that
> 5.13.0 fixes all categories of this problem, including webconsole.  Is that
> accurate?
>
> Tim
> On Dec 8, 2015 10:09 AM, "Dejan Bosanac" <dejan@nighttale.net> wrote:
>
> > Hi,
> >
> > this has just been announced with its own CVE-2015-5254. More info can be
> > found at
> >
> >
> http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
> >
> > Regards
> > --
> > Dejan Bosanac
> > about.me/dejanb
> >
> > On Tue, Dec 8, 2015 at 4:41 PM, iali <iali@arcsolutions.com> wrote:
> >
> > > Thanks Tim,
> > >
> > > I did had a look at that site and it has got a comprehensive
> explanation
> > > against this vulnerability. Also I have been having a discussion under
> > > AMQ-6013 <https://issues.apache.org/jira/browse/AMQ-6013>   and it
> seems
> > > that we can use CVE-2015-4852 based on comment in
> > >
> > >
> > >
> >
> https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046732#comment-15046732
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704781.html
> > > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message