activemq - Debian Package Tracker

general

source: activemq (main)
version: 5.17.6+dfsg-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Damien Raude-Morvan [DMD] – Emmanuel Arias [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.16.1-1
o-o-sec: 5.16.1-1+deb11u2
oldstable: 5.17.2+dfsg-2+deb12u1
old-sec: 5.17.2+dfsg-2+deb12u1
stable: 5.17.6+dfsg-2
unstable: 5.17.6+dfsg-2

versioned links

5.16.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.16.1-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.17.2+dfsg-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.17.6+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

activemq (3 bugs: 1, 2, 0, 0)
libactivemq-java

action needed

A new upstream version is available: 6.2.1 high

A new upstream version 6.2.1 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-03-07 12:00

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2025-27533: Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.
CVE-2025-66168: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Created: 2025-05-07 Last update: 2026-03-06 09:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-66168: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Created: 2026-03-06 Last update: 2026-03-06 09:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-66168: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Created: 2026-03-06 Last update: 2026-03-06 09:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2025-66168: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Created: 2026-03-06 Last update: 2026-03-06 09:30

lintian reports 1 error and 1 warning high

Lintian reports 1 error and 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-06-03 Last update: 2025-06-03 05:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-01-22 Last update: 2026-03-07 12:31

Depends on packages which need a new maintainer normal

The packages that activemq depends on which need a new maintainer are:

javacc-maven-plugin (#922602)
- Build-Depends: libjavacc-maven-plugin-java

Created: 2019-11-22 Last update: 2026-03-07 11:30

debian/patches: 4 patches to forward upstream low

Among the 7 debian patches available in version 5.17.6+dfsg-2 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-06-03 07:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-12-23 20:00

testing migrations

excuses:
- Migrates after: shiro
- Migration status for activemq (- to 5.17.6+dfsg-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating activemq would introduce bugs in testing: #1039120
- ∙ ∙ Build-Depends(-Arch): activemq shiro
- ∙ ∙ Depends: activemq shiro
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/a/activemq.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- ∙ ∙ 277 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-11-18] activemq REMOVED from testing (Debian testing watch)
[2025-06-19] Accepted activemq 5.16.1-1+deb11u2 (source) into oldstable-security (Emmanuel Arias)
[2025-06-08] activemq 5.17.6+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-06-02] Accepted activemq 5.17.6+dfsg-2 (source) into unstable (Emmanuel Arias)
[2024-10-27] Accepted activemq 5.17.2+dfsg-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Santiago Ruano Rincón)
[2024-10-26] Accepted activemq 5.17.2+dfsg-2+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Santiago Ruano Rincón)
[2024-10-25] Accepted activemq 5.16.1-1+deb11u1 (source) into oldstable-security (Santiago Ruano Rincón)
[2023-11-24] activemq 5.17.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-11-20] Accepted activemq 5.15.16-0+deb10u1 (source) into oldoldstable (Markus Koschany)
[2023-11-19] Accepted activemq 5.17.6+dfsg-1 (source) into unstable (tony mancill)
[2023-02-23] activemq 5.17.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-02-12] Accepted activemq 5.17.2+dfsg-2 (source) into unstable (tony mancill)
[2022-10-31] activemq 5.17.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-10-24] Accepted activemq 5.17.2+dfsg-1 (source) into unstable (Pierre Gruet)
[2022-07-08] activemq 5.16.1-2 MIGRATED to testing (Debian testing watch)
[2022-07-01] Accepted activemq 5.16.1-2 (source) into unstable (Pierre Gruet)
[2021-09-24] activemq REMOVED from testing (Debian testing watch)
[2021-03-12] activemq 5.16.1-1 MIGRATED to testing (Debian testing watch)
[2021-03-05] Accepted activemq 5.14.3-3+deb9u2 (source) into oldstable (Abhijith PA)
[2021-03-02] Accepted activemq 5.16.1-1 (source) into unstable (Markus Koschany)
[2020-10-13] activemq 5.16.0-1 MIGRATED to testing (Debian testing watch)
[2020-10-13] activemq 5.16.0-1 MIGRATED to testing (Debian testing watch)
[2020-10-07] Accepted activemq 5.14.3-3+deb9u1 (source) into oldstable (Markus Koschany)
[2020-10-07] Accepted activemq 5.16.0-1 (source) into unstable (Markus Koschany)
[2020-01-07] activemq 5.15.11-1 MIGRATED to testing (Debian testing watch)
[2020-01-06] activemq REMOVED from testing (Debian testing watch)
[2019-11-29] activemq 5.15.11-1 MIGRATED to testing (Debian testing watch)
[2019-11-23] Accepted activemq 5.15.11-1 (source) into unstable (Markus Koschany)
[2019-09-04] activemq 5.15.10-1 MIGRATED to testing (Debian testing watch)
[2019-08-29] Accepted activemq 5.15.10-1 (source) into unstable (Markus Koschany)

bugs [bug history graph]

all: 4
RC: 1
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (1, 1)
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.17.6+dfsg-2
2 bugs