diff options
| author | tj <tj@FreeBSD.org> | 2016-03-26 01:04:02 +0800 |
|---|---|---|
| committer | tj <tj@FreeBSD.org> | 2016-03-26 01:04:02 +0800 |
| commit | 3348bc364ae103b845078b0568ef26dcfdbf54ca (patch) | |
| tree | 48ae7ef5dc5b1f1bf926d249545152b103cd43f0 /security | |
| parent | 2bdeb5d8e1952646295c48958a73549da86b3242 (diff) | |
| download | freebsd-ports-gnome-3348bc364ae103b845078b0568ef26dcfdbf54ca.tar.gz freebsd-ports-gnome-3348bc364ae103b845078b0568ef26dcfdbf54ca.tar.zst freebsd-ports-gnome-3348bc364ae103b845078b0568ef26dcfdbf54ca.zip | |
Document multipule activemq vulnerabilities:
CVE-2016-0782 - ActiveMQ Web Console - Cross-Site Scripting
CVE-2016-0734 - ActiveMQ Web Console - Clickjacking
CVE-2015-5254 - Unsafe deserialization in ActiveMQ
PR: 208163
PR: 208193
Security: CVE-2015-5254
Security: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
Security: CVE-2016-0782
Security: http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt
Security: CVE-2016-0734
Security: http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 377e482bc293..61ab72aefd3e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,98 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Unsafe deserialization</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"> + <p>JMS Object messages depends on Java Serialization for + marshaling/unmashaling of the message payload. There are a couple of places + inside the broker where deserialization can occur, like web console or stomp + object message transformation. As deserialization of untrusted data can leaed to + security flaws as demonstrated in various reports, this leaves the broker + vunerable to this attack vector. Additionally, applications that consume + ObjectMessage type of messages can be vunerable as they deserlize objects on + ObjectMessage.getObject() calls.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url> + <cvename>CVE-2015-5254</cvename> + </references> + <dates> + <discovery>2016-01-08</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + + <vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Web Console Clickjacking</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michael Furman reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt"> + <p>The web based administration console does not set the + X-Frame-Options header in HTTP responses. This allows the console to be embedded + in a frame or iframe which could then be used to cause a user to perform an + unintended action in the console.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url> + <cvename>CVE-2016-0734</cvename> + </references> + <dates> + <discovery>2016-03-10</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + + <vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59"> + <topic>activemq -- Web Console Cross-Site Scripting</topic> + <affects> + <package> + <name>activemq</name> + <range><lt>5.13.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Vladimir Ivanov (Positive Technologies) reports:</p> + <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt"> + <p>Several instances of cross-site scripting vulnerabilities were + identified to be present in the web based administration console as well as the + ability to trigger a Java memory dump into an arbitrary folder. The root cause + of these issues are improper user data output validation and incorrect + permissions configured on Jolokia.</p> + </blockquote> + </body> + </description> + <references> + <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url> + <cvename>CVE-2016-0782</cvename> + </references> + <dates> + <discovery>2016-03-10</discovery> + <entry>2016-03-25</entry> + </dates> + </vuln> + <vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8"> <topic>pcre -- stack buffer overflow</topic> <affects> |