Bug#778868: unblock: activemq/5.6.0+dfsg1-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package activemq, the version 5.6.0+dfsg1-4 fixes two security issues.
Thank you
unblock activemq/5.6.0+dfsg1-4
diff -Nru activemq-5.6.0+dfsg1/debian/changelog activemq-5.6.0+dfsg1/debian/changelog
--- activemq-5.6.0+dfsg1/debian/changelog 2014-11-21 14:02:18.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/changelog 2015-02-18 20:04:41.000000000 +0100
@@ -1,3 +1,14 @@
+activemq (5.6.0+dfsg1-4) unstable; urgency=high
+
+ * Team upload.
+ * Fixed security issues (Closes: #777196)
+ - CVE-2014-3612: JAAS LDAPLoginModule allows empty password authentication
+ - CVE-2014-3600: XML External Entity expansion when evaluating XPath
+ expressions
+ * Standards-Version updated to 3.9.6 (no changes)
+
+ -- Emmanuel Bourg <ebourg@apache.org> Wed, 18 Feb 2015 20:04:38 +0100
+
activemq (5.6.0+dfsg1-3) unstable; urgency=high
* Team upload.
diff -Nru activemq-5.6.0+dfsg1/debian/control activemq-5.6.0+dfsg1/debian/control
--- activemq-5.6.0+dfsg1/debian/control 2014-09-29 09:26:05.000000000 +0200
+++ activemq-5.6.0+dfsg1/debian/control 2015-02-18 20:03:58.000000000 +0100
@@ -55,9 +55,9 @@
libxbean-java-doc,
libxpp3-java,
libxstream-java (>= 1.4)
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
Vcs-Git: git://anonscm.debian.org/pkg-java/activemq.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/activemq.git
+Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/activemq.git
Homepage: http://activemq.apache.org
Package: libactivemq-java
diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch
--- activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch 1970-01-01 01:00:00.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3600.patch 2015-02-18 19:42:35.000000000 +0100
@@ -0,0 +1,239 @@
+Description: Fix CVE-2014-3600: XML External Entity expansion when evaluating XPath expressions.
+ This patch can be removed after upgrading to ActiveMQ 5.10.1 or later.
+Origin: backport, https://github.com/apache/activemq/commit/b9696ac
+Bug: https://issues.apache.org/jira/browse/AMQ-5333
+--- a/activemq-optional/src/main/java/org/apache/activemq/filter/JAXPXPathEvaluator.java
++++ b/activemq-optional/src/main/java/org/apache/activemq/filter/JAXPXPathEvaluator.java
+@@ -21,11 +21,13 @@
+ import javax.jms.BytesMessage;
+ import javax.jms.JMSException;
+ import javax.jms.TextMessage;
++import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.xpath.XPath;
+ import javax.xml.xpath.XPathConstants;
+ import javax.xml.xpath.XPathExpressionException;
+ import javax.xml.xpath.XPathFactory;
+
++import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
+
+ import org.apache.activemq.command.Message;
+@@ -61,8 +63,9 @@
+ private boolean evaluate(byte[] data) {
+ try {
+ InputSource inputSource = new InputSource(new ByteArrayInputStream(data));
+- return ((Boolean)expression.evaluate(inputSource, XPathConstants.BOOLEAN)).booleanValue();
+- } catch (XPathExpressionException e) {
++ Document inputDocument = builder.parse(inputSource);
++ return ((Boolean)xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue();
++ } catch (Exception e) {
+ return false;
+ }
+ }
+@@ -70,8 +73,9 @@
+ private boolean evaluate(String text) {
+ try {
+ InputSource inputSource = new InputSource(new StringReader(text));
+- return ((Boolean)expression.evaluate(inputSource, XPathConstants.BOOLEAN)).booleanValue();
+- } catch (XPathExpressionException e) {
++ Document inputDocument = builder.parse(inputSource);
++ return ((Boolean)xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue();
++ } catch (Exception e) {
+ return false;
+ }
+ }
+--- a/activemq-core/src/main/java/org/apache/activemq/filter/XalanXPathEvaluator.java
++++ b/activemq-core/src/main/java/org/apache/activemq/filter/XalanXPathEvaluator.java
+@@ -25,6 +25,8 @@
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.xpath.XPath;
++import javax.xml.xpath.XPathConstants;
++import javax.xml.xpath.XPathFactory;
+
+ import org.w3c.dom.Document;
+ import org.w3c.dom.traversal.NodeIterator;
+@@ -35,13 +37,20 @@
+ import org.apache.xpath.CachedXPathAPI;
+ import org.apache.xpath.objects.XObject;
+
+-
+ public class XalanXPathEvaluator implements XPathExpression.XPathEvaluator {
+
+- private final String xpath;
+-
+- public XalanXPathEvaluator(String xpath) {
+- this.xpath = xpath;
++ private static final XPathFactory FACTORY = XPathFactory.newInstance();
++ private final String xpathExpression;
++ private final DocumentBuilder builder;
++ private final XPath xpath = FACTORY.newXPath();
++
++ public XalanXPathEvaluator(String xpathExpression, DocumentBuilder builder) throws Exception {
++ this.xpathExpression = xpathExpression;
++ if (builder != null) {
++ this.builder = builder;
++ } else {
++ throw new RuntimeException("No document builder available");
++ }
+ }
+
+ public boolean evaluate(Message m) throws JMSException {
+@@ -61,22 +70,9 @@
+ try {
+
+ InputSource inputSource = new InputSource(new ByteArrayInputStream(data));
+-
+- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+- factory.setNamespaceAware(true);
+- DocumentBuilder dbuilder = factory.newDocumentBuilder();
+- Document doc = dbuilder.parse(inputSource);
+-
+- CachedXPathAPI cachedXPathAPI = new CachedXPathAPI();
+- XObject result = cachedXPathAPI.eval(doc, xpath);
+- if (result.bool())
+- return true;
+- else {
+- NodeIterator iterator = cachedXPathAPI.selectNodeIterator(doc, xpath);
+- return (iterator.nextNode() != null);
+- }
+-
+- } catch (Throwable e) {
++ Document inputDocument = builder.parse(inputSource);
++ return ((Boolean) xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue();
++ } catch (Exception e) {
+ return false;
+ }
+ }
+@@ -84,28 +80,15 @@
+ private boolean evaluate(String text) {
+ try {
+ InputSource inputSource = new InputSource(new StringReader(text));
+-
+- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+- factory.setNamespaceAware(true);
+- DocumentBuilder dbuilder = factory.newDocumentBuilder();
+- Document doc = dbuilder.parse(inputSource);
+-
+- //An XPath expression could return a true or false value instead of a node.
+- //eval() is a better way to determine the boolean value of the exp.
+- //For compliance with legacy behavior where selecting an empty node returns true,
+- //selectNodeIterator is attempted in case of a failure.
+-
+- CachedXPathAPI cachedXPathAPI = new CachedXPathAPI();
+- XObject result = cachedXPathAPI.eval(doc, xpath);
+- if (result.bool())
+- return true;
+- else {
+- NodeIterator iterator = cachedXPathAPI.selectNodeIterator(doc, xpath);
+- return (iterator.nextNode() != null);
+- }
+-
+- } catch (Throwable e) {
++ Document inputDocument = builder.parse(inputSource);
++ return ((Boolean) xpath.evaluate(xpathExpression, inputDocument, XPathConstants.BOOLEAN)).booleanValue();
++ } catch (Exception e) {
+ return false;
+ }
+ }
++
++ @Override
++ public String toString() {
++ return xpathExpression;
++ }
+ }
+--- a/activemq-core/src/main/java/org/apache/activemq/filter/XPathExpression.java
++++ b/activemq-core/src/main/java/org/apache/activemq/filter/XPathExpression.java
+@@ -19,8 +19,15 @@
+ import java.io.IOException;
+ import java.lang.reflect.Constructor;
+ import java.lang.reflect.InvocationTargetException;
++import java.util.ArrayList;
++import java.util.List;
++import java.util.Map;
++import java.util.Properties;
+
+ import javax.jms.JMSException;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+
+ import org.apache.activemq.command.Message;
+ import org.apache.activemq.util.JMSExceptionSupport;
+@@ -35,8 +42,10 @@
+ private static final Logger LOG = LoggerFactory.getLogger(XPathExpression.class);
+ private static final String EVALUATOR_SYSTEM_PROPERTY = "org.apache.activemq.XPathEvaluatorClassName";
+ private static final String DEFAULT_EVALUATOR_CLASS_NAME = XalanXPathEvaluator.class.getName();
++ public static final String DOCUMENT_BUILDER_FACTORY_FEATURE = "org.apache.activemq.documentBuilderFactory.feature";
+
+ private static final Constructor EVALUATOR_CONSTRUCTOR;
++ private static DocumentBuilder builder = null;
+
+ static {
+ String cn = System.getProperty(EVALUATOR_SYSTEM_PROPERTY, DEFAULT_EVALUATOR_CLASS_NAME);
+@@ -44,6 +53,21 @@
+ try {
+ try {
+ m = getXPathEvaluatorConstructor(cn);
++ DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++ builderFactory.setNamespaceAware(true);
++ builderFactory.setIgnoringElementContentWhitespace(true);
++ builderFactory.setIgnoringComments(true);
++ try {
++ // set some reasonable defaults
++ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
++ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
++ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
++ } catch (ParserConfigurationException e) {
++ LOG.warn("Error setting document builder factory feature", e);
++ }
++ // setup the feature from the system property
++ setupFeatures(builderFactory);
++ builder = builderFactory.newDocumentBuilder();
+ } catch (Throwable e) {
+ LOG.warn("Invalid " + XPathEvaluator.class.getName() + " implementation: " + cn + ", reason: " + e, e);
+ cn = DEFAULT_EVALUATOR_CLASS_NAME;
+@@ -75,12 +99,41 @@
+ if (!XPathEvaluator.class.isAssignableFrom(c)) {
+ throw new ClassCastException("" + c + " is not an instance of " + XPathEvaluator.class);
+ }
+- return c.getConstructor(new Class[] {String.class});
++ return c.getConstructor(new Class[] {String.class, DocumentBuilder.class});
++ }
++
++ protected static void setupFeatures(DocumentBuilderFactory factory) {
++ Properties properties = System.getProperties();
++ List<String> features = new ArrayList<String>();
++ for (Map.Entry<Object, Object> prop : properties.entrySet()) {
++ String key = (String) prop.getKey();
++ if (key.startsWith(DOCUMENT_BUILDER_FACTORY_FEATURE)) {
++ String uri = key.split(DOCUMENT_BUILDER_FACTORY_FEATURE + ":")[1];
++ Boolean value = Boolean.valueOf((String)prop.getValue());
++ try {
++ factory.setFeature(uri, value);
++ features.add("feature " + uri + " value " + value);
++ } catch (ParserConfigurationException e) {
++ LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{uri, value, e});
++ }
++ }
++ }
++ if (features.size() > 0) {
++ StringBuffer featureString = new StringBuffer();
++ // just log the configured feature
++ for (String feature : features) {
++ if (featureString.length() != 0) {
++ featureString.append(", ");
++ }
++ featureString.append(feature);
++ }
++ }
++
+ }
+
+ private XPathEvaluator createEvaluator(String xpath2) {
+ try {
+- return (XPathEvaluator)EVALUATOR_CONSTRUCTOR.newInstance(new Object[] {xpath});
++ return (XPathEvaluator)EVALUATOR_CONSTRUCTOR.newInstance(new Object[] {xpath, builder});
+ } catch (InvocationTargetException e) {
+ Throwable cause = e.getCause();
+ if (cause instanceof RuntimeException) {
diff -Nru activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch
--- activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch 1970-01-01 01:00:00.000000000 +0100
+++ activemq-5.6.0+dfsg1/debian/patches/CVE-2014-3612.patch 2015-02-18 19:42:28.000000000 +0100
@@ -0,0 +1,312 @@
+Description: Fix CVE-2014-3612: ActiveMQ JAAS: LDAPLoginModule allows empty password authentication.
+ This patch can be removed after upgrading to ActiveMQ 5.10.1 or later.
+Origin: backport, https://github.com/apache/activemq/commit/0b5231ad
+Bug: https://issues.apache.org/jira/browse/AMQ-5345
+--- a/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
++++ b/activemq-core/src/main/java/org/apache/activemq/security/LDAPAuthorizationMap.java
+@@ -465,11 +465,15 @@
+ try {
+ Hashtable<String, String> env = new Hashtable<String, String>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
+- if (connectionUsername != null || !"".equals(connectionUsername)) {
++ if (connectionUsername != null && !"".equals(connectionUsername)) {
+ env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
++ } else {
++ throw new NamingException("Empty username is not allowed");
+ }
+- if (connectionPassword != null || !"".equals(connectionPassword)) {
++ if (connectionPassword != null && !"".equals(connectionPassword)) {
+ env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
++ } else {
++ throw new NamingException("Empty password is not allowed");
+ }
+ env.put(Context.SECURITY_PROTOCOL, connectionProtocol);
+ env.put(Context.PROVIDER_URL, connectionURL);
+--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
++++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/LDAPLoginModule.java
+@@ -194,7 +194,7 @@
+ try {
+
+ String filter = userSearchMatchingFormat.format(new String[] {
+- username
++ doRFC2254Encoding(username)
+ });
+ SearchControls constraints = new SearchControls();
+ if (userSearchSubtreeBool) {
+@@ -291,7 +291,7 @@
+ return list;
+ }
+ String filter = roleSearchMatchingFormat.format(new String[] {
+- doRFC2254Encoding(dn), username
++ doRFC2254Encoding(dn), doRFC2254Encoding(username)
+ });
+
+ SearchControls constraints = new SearchControls();
+@@ -408,9 +408,14 @@
+ env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY));
+ if (isLoginPropertySet(CONNECTION_USERNAME)) {
+ env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
++ } else {
++ throw new NamingException("Empty username is not allowed");
+ }
++
+ if (isLoginPropertySet(CONNECTION_PASSWORD)) {
+ env.put(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
++ } else {
++ throw new NamingException("Empty password is not allowed");
+ }
+ env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL));
+ env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL));
+@@ -433,7 +438,7 @@
+
+ private boolean isLoginPropertySet(String propertyName) {
+ for (int i=0; i < config.length; i++ ) {
+- if (config[i].getPropertyName() == propertyName && config[i].getPropertyValue() != null)
++ if (config[i].getPropertyName() == propertyName && (config[i].getPropertyValue() != null && !"".equals(config[i].getPropertyValue())))
+ return true;
+ }
+ return false;
+--- a/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
++++ b/activemq-jaas/src/test/java/org/apache/activemq/jaas/LDAPLoginModuleTest.java
+@@ -41,7 +41,9 @@
+ import java.util.HashSet;
+ import java.util.Hashtable;
+
++import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
+
+ @RunWith ( FrameworkRunner.class )
+ @CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
+@@ -121,4 +123,29 @@
+ context.logout();
+ }
+
++ @Test
++ public void testUnauthenticated() throws LoginException {
++ LoginContext context = new LoginContext("UnAuthenticatedLDAPLogin", new CallbackHandler() {
++ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
++ for (int i = 0; i < callbacks.length; i++) {
++ if (callbacks[i] instanceof NameCallback) {
++ ((NameCallback) callbacks[i]).setName("first");
++ } else if (callbacks[i] instanceof PasswordCallback) {
++ ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
++ } else {
++ throw new UnsupportedCallbackException(callbacks[i]);
++ }
++ }
++ }
++ });
++ try {
++ context.login();
++ } catch (LoginException le) {
++ assertEquals(le.getCause().getMessage(), "Empty password is not allowed");
++ return;
++ }
++ fail("Should have failed authenticating");
++ }
++
++
+ }
+--- a/activemq-jaas/src/test/resources/login.config
++++ b/activemq-jaas/src/test/resources/login.config
+@@ -40,6 +40,25 @@
+ ;
+ };
+
++UnAuthenticatedLDAPLogin {
++ org.apache.activemq.jaas.LDAPLoginModule required
++ debug=true
++ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
++ connectionURL="ldap://localhost:1024";
++ connectionUsername="uid=admin,ou=system"
++ connectionPassword=""
++ connectionProtocol=s
++ authentication=simple
++ userBase="ou=system"
++ userSearchMatching="(uid={0})"
++ userSearchSubtree=false
++ roleBase="ou=system"
++ roleName=dummyRoleName
++ roleSearchMatching="(uid={1})"
++ roleSearchSubtree=false
++ ;
++};
++
+ GuestLogin {
+ org.apache.activemq.jaas.GuestLoginModule required
+ debug=true
+--- /dev/null
++++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/LDAPAuthenticationTest.java
+@@ -0,0 +1,83 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.security;
++import static org.junit.Assert.assertNotNull;
++import static org.junit.Assert.fail;
++
++import javax.jms.Connection;
++import javax.jms.Destination;
++import javax.jms.JMSException;
++import javax.jms.Message;
++import javax.jms.MessageConsumer;
++import javax.jms.MessageProducer;
++import javax.jms.Queue;
++import javax.jms.Session;
++
++import org.apache.activemq.ActiveMQConnectionFactory;
++import org.apache.activemq.broker.BrokerFactory;
++import org.apache.activemq.broker.BrokerService;
++import org.apache.directory.server.annotations.CreateLdapServer;
++import org.apache.directory.server.annotations.CreateTransport;
++import org.apache.directory.server.core.annotations.ApplyLdifFiles;
++import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
++import org.apache.directory.server.core.integ.FrameworkRunner;
++import org.apache.directory.server.ldap.LdapServer;
++import org.junit.After;
++import org.junit.Before;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++
++@RunWith( FrameworkRunner.class )
++@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
++@ApplyLdifFiles(
++ "org/apache/activemq/security/activemq.ldif"
++)
++public class LDAPAuthenticationTest extends AbstractLdapTestUnit {
++
++ public BrokerService broker;
++
++ public static LdapServer ldapServer;
++
++ @Before
++ public void setup() throws Exception {
++ System.setProperty("ldapPort", String.valueOf(getLdapServer().getPort()));
++
++ broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-ldap-auth.xml");
++ broker.start();
++ broker.waitUntilStarted();
++ }
++
++ @After
++ public void shutdown() throws Exception {
++ broker.stop();
++ broker.waitUntilStopped();
++ }
++
++ @Test
++ public void testWildcard() throws Exception {
++ ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
++ Connection conn = factory.createQueueConnection("*", "sunflower");
++ try {
++ conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
++ } catch (Exception e) {
++ e.printStackTrace();
++ return;
++ }
++ fail("Should have failed connecting");
++ }
++}
+\ No newline at end of file
+--- a/activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java
++++ b/activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java
+@@ -38,7 +38,7 @@
+
+
+ @RunWith( FrameworkRunner.class )
+-@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
++@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=1024)})
+ @ApplyLdifFiles(
+ "org/apache/activemq/security/activemq.ldif"
+ )
+--- a/activemq-core/src/test/resources/login.config
++++ b/activemq-core/src/test/resources/login.config
+@@ -65,4 +65,23 @@
+ debug=true
+ org.apache.activemq.jaas.textfiledn.user="org/apache/activemq/security/users2.properties"
+ org.apache.activemq.jaas.textfiledn.group="org/apache/activemq/security/groups.properties";
++};
++
++LDAPLogin {
++ org.apache.activemq.jaas.LDAPLoginModule required
++ debug=true
++ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
++ connectionURL="ldap://localhost:1024";
++ connectionUsername="uid=admin,ou=system"
++ connectionPassword=secret
++ connectionProtocol=s
++ authentication=simple
++ userBase="ou=User,ou=ActiveMQ,ou=system"
++ userSearchMatching="(uid={0})"
++ userSearchSubtree=false
++ roleBase="ou=Group,ou=ActiveMQ,ou=system"
++ roleName=cn
++ roleSearchMatching="(uid={1})"
++ roleSearchSubtree=true
++ ;
+ };
+\ No newline at end of file
+--- /dev/null
++++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-ldap-auth.xml
+@@ -0,0 +1,46 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++ Licensed to the Apache Software Foundation (ASF) under one or more
++ contributor license agreements. See the NOTICE file distributed with
++ this work for additional information regarding copyright ownership.
++ The ASF licenses this file to You under the Apache License, Version 2.0
++ (the "License"); you may not use this file except in compliance with
++ the License. You may obtain a copy of the License at
++
++ http://www.apache.org/licenses/LICENSE-2.0
++
++ Unless required by applicable law or agreed to in writing, software
++ distributed under the License is distributed on an "AS IS" BASIS,
++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ See the License for the specific language governing permissions and
++ limitations under the License.
++-->
++<!-- START SNIPPET: xbean -->
++<beans
++ xmlns="http://www.springframework.org/schema/beans";
++ xmlns:amq="http://activemq.apache.org/schema/core";
++ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
++ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
++ http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd";>
++
++ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
++
++ <broker useJmx="false" xmlns="http://activemq.apache.org/schema/core"; persistent="false">
++
++ <destinations>
++ <queue physicalName="ADMIN.FOO" />
++ </destinations>
++
++ <plugins>
++ <jaasAuthenticationPlugin configuration="LDAPLogin"/>
++ </plugins>
++
++
++ <transportConnectors>
++ <transportConnector uri="tcp://localhost:61616"/>
++ </transportConnectors>
++
++ </broker>
++
++</beans>
++<!-- END SNIPPET: xbean -->
diff -Nru activemq-5.6.0+dfsg1/debian/patches/series activemq-5.6.0+dfsg1/debian/patches/series
--- activemq-5.6.0+dfsg1/debian/patches/series 2014-09-29 09:26:05.000000000 +0200
+++ activemq-5.6.0+dfsg1/debian/patches/series 2015-02-18 19:06:29.000000000 +0100
@@ -7,3 +7,5 @@
activemq-admin.patch
exclude_mqtt.diff
exclude_leveldb.diff
+CVE-2014-3600.patch
+CVE-2014-3612.patch
Reply to: