-------------------------------------------------------------------------
Debian LTS Advisory DLA-3936-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
October 25, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : activemq
Version : 5.16.1-1+deb11u1
CVE ID : CVE-2022-41678 CVE-2023-46604
Debian Bug : 1054909
Two vulnerabilities were found in Apache ActiveMQ, a Java-based message broker.
CVE-2022-41678
Deserialization vulnerability on Jolokia that allows authenticated users to
perform arbitrary code execution.
CVE-2023-46604
The Java OpenWire protocol marshaller is vulnerable to arbitrary code
execution. This vulnerability may allow a remote attacker with network
access to run arbitrary shell commands by manipulating serialized class
types in either a Java-based OpenWire broker or client.
For Debian 11 bullseye, these problems have been fixed in version
5.16.1-1+deb11u1.
We recommend that you upgrade your activemq packages.
For the detailed security status of activemq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/activemq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature