Source: activemq
Version: 5.17.6+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/AMQ-6596
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for activemq.

CVE-2025-27533[0]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ. During unmarshalling of OpenWire commands the size value
| of buffers was not properly validated which could lead to excessive
| memory allocation and be exploited to cause a denial of service
| (DoS) by depleting process memory, thereby affecting applications
| and services that rely on the availability of the ActiveMQ broker
| when not using mutual TLS connections. This issue affects Apache
| ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from
| 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not
| affected. Users are recommended to upgrade to version 6.1.6+,
| 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.
| Existing users may implement mutual TLS to mitigate the risk on
| affected brokers.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-27533
https://www.cve.org/CVERecord?id=CVE-2025-27533
[1] https://issues.apache.org/jira/browse/AMQ-6596

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)