From 4f36e2a160c2bf774f96dac099da49bb81398698 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B1=88=E4=B9=A6=E5=9D=A4?= <qushukun@cqsoftware.com.cn>
Date: Mon, 22 Sep 2025 14:40:53 +0800
Subject: [PATCH] fix CVE-2023-50780

---
 0001-fix_CVE-2023-50780.patch | 39 +++++++++++++++++++++++++++++++++++
 artemis.spec                  |  7 ++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix_CVE-2023-50780.patch

diff --git a/0001-fix_CVE-2023-50780.patch b/0001-fix_CVE-2023-50780.patch
new file mode 100644
index 0000000..2a5c8e4
--- /dev/null
+++ b/0001-fix_CVE-2023-50780.patch
@@ -0,0 +1,39 @@
+From 8ef58b3120a9f84639c28115d0660adf27f9db8e Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 22 Sep 2025 14:21:28 +0800
+Subject: [PATCH] fix_CVE-2023-50780
+
+---
+ .../apache/activemq/artemis/cli/commands/etc/artemis.profile    | 2 +-
+ .../activemq/artemis/cli/commands/etc/artemis.profile.cmd       | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile b/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
+index 8dab799..d88217a 100644
+--- a/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
++++ b/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
+@@ -23,7 +23,7 @@ ARTEMIS_INSTANCE='${artemis.instance}'
+ 
+ 
+ # Java Opts
+-JAVA_ARGS="-XX:+UseParallelGC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M"
++JAVA_ARGS="-XX:+UseParallelGC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Dlog4j2.disableJmx=true"
+ 
+ #
+ # There might be options that you only want to enable on specifc commands, like setting a JMX port
+diff --git a/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd b/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
+index 47e288c..5914d9f 100644
+--- a/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
++++ b/BUILD/activemq-artemis-1.4.0/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
+@@ -23,7 +23,7 @@ rem Cluster Properties: Used to pass arguments to ActiveMQ Artemis which can be
+ rem set ARTEMIS_CLUSTER_PROPS=-Dactivemq.remoting.default.port=61617 -Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 -Dactivemq.remoting.hornetq.port=5446
+ 
+ rem Java Opts
+-set JAVA_ARGS=-XX:+UseParallelGC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config ${java-opts} -Dartemis.instance=%ARTEMIS_INSTANCE%
++set JAVA_ARGS=-XX:+UseParallelGC -XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M -Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} -Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config ${java-opts} -Dartemis.instance=%ARTEMIS_INSTANCE% -Dlog4j2.disableJmx=true
+ 
+ rem There might be options that you only want to enable on specifc commands, like setting a JMX port
+ rem See https://issues.apache.org/jira/browse/ARTEMIS-318
+-- 
+2.43.5
+
diff --git a/artemis.spec b/artemis.spec
index c396337..8ec2039 100644
--- a/artemis.spec
+++ b/artemis.spec
@@ -1,11 +1,12 @@
 Name:                artemis
 Version:             1.4.0
-Release:             2
+Release:             3
 Summary:             Java high performance, clustered, asynchronous messaging system
 License:             ASL 2.0
 URL:                 https://github.com/apache/activemq-artemis/
 Source0:             https://github.com/apache/activemq-artemis/archive/%{version}/%{name}-%{version}.tar.gz
 Patch0:              artemis-netty-4.1.patch
+Patch1:              0001-fix_CVE-2023-50780.patch
 BuildRequires:       gcc-c++ cmake libaio-devel libtool maven-local mvn(com.google.guava:guava)
 BuildRequires:       mvn(commons-beanutils:commons-beanutils) mvn(io.airlift:airline)
 BuildRequires:       mvn(io.netty:netty-all) mvn(javax.inject:javax.inject)
@@ -225,6 +226,7 @@ Documentation for %{name}.
 %prep
 %setup -q -n activemq-%{name}-%{version}
 %patch0 -p1
+%patch1 -p1
 find -name "*.class" -print -delete
 find -name "*.dll" -print -delete
 find -name "*.exe" -print -delete
@@ -355,6 +357,9 @@ install -pm 755 artemis-native/bin/libartemis-native-%{__isa_bits}.so %{buildroo
 %license LICENSE NOTICE
 
 %changelog
+* Mon Sep 22 2025 ShuKun Qu <qushukun@cqsoftware.com.cn> - 1.4.0-3
+- Fix CVE-2023-50780
+
 * Thu Sep 9 2021 caodongxia <caodongxia@huawei.com> - 1.4.0-2
 - Add debug package to add strip
 
-- 
Gitee