CVE-2019-0222

Name	CVE-2019-0222
Description	In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2582-1, DLA-2583-1
Debian Bugs	925964, 988109

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
activemq (PTS)	jessie, jessie (lts)	5.6.0+dfsg1-4+deb8u3	fixed
	stretch (security), stretch (lts), stretch	5.14.3-3+deb9u2	fixed
	buster (security), buster, buster (lts)	5.15.16-0+deb10u1	fixed
	bullseye	5.16.1-1	fixed
	bullseye (security)	5.16.1-1+deb11u1	fixed
	bookworm (security), bookworm	5.17.2+dfsg-2+deb12u1	fixed
	sid, trixie	5.17.6+dfsg-1	fixed
mqtt-client (PTS)	stretch (security), stretch (lts), stretch	1.14-1+deb9u1	fixed
	buster	1.14-1+deb10u1	fixed
	sid, trixie, bullseye, bookworm	1.16-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
activemq	source	wheezy	(unfixed)	end-of-life
activemq	source	jessie	(not affected)
activemq	source	stretch	5.14.3-3+deb9u2		DLA-2583-1
activemq	source	(unstable)	5.15.9-1	unimportant		925964
mqtt-client	source	stretch	1.14-1+deb9u1		DLA-2582-1
mqtt-client	source	buster	1.14-1+deb10u1
mqtt-client	source	(unstable)	1.16-1			988109

Notes

[jessie] - activemq <not-affected> (MQTT support not enabled)
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15)