CVE-2019-0222

Name	CVE-2019-0222
Description	In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2582-1, DLA-2583-1
Debian Bugs	925964, 988109

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
activemq (PTS)	bullseye	5.16.1-1	fixed
	bullseye (security)	5.16.1-1+deb11u1	fixed
	bookworm, bookworm (security)	5.17.2+dfsg-2+deb12u1	fixed
	sid, trixie	5.17.6+dfsg-1	fixed
mqtt-client (PTS)	sid, trixie, bookworm, bullseye	1.16-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
activemq	source	jessie	(not affected)
activemq	source	stretch	5.14.3-3+deb9u2		DLA-2583-1
activemq	source	(unstable)	5.15.9-1	unimportant		925964
mqtt-client	source	stretch	1.14-1+deb9u1		DLA-2582-1
mqtt-client	source	buster	1.14-1+deb10u1
mqtt-client	source	(unstable)	1.16-1			988109

Notes

[jessie] - activemq <not-affected> (MQTT support not enabled)
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15)