Red Hat Product Errata RHSA-2012:1277 - Security Advisory
Issued:
2012-09-19
Updated:
2012-09-19

RHSA-2012:1277 - Security Advisory

Synopsis

Moderate: Red Hat Enterprise MRG Messaging 2.2 update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated Messaging component packages that fix two security issues, multiple
bugs, and add various enhancements are now available for Red Hat Enterprise
MRG 2.2 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

MRG Messaging is a high-speed reliable messaging distribution for Linux
based on AMQP (Advanced Message Queuing Protocol), an open protocol
standard for enterprise messaging that is designed to make mission critical
messaging widely available as a standard service, and to make enterprise
messaging interoperable across platforms, programming languages, and
vendors. MRG Messaging includes an AMQP 0-10 messaging broker; AMQP 0-10
client libraries for C++, Java JMS, and Python; as well as persistence
libraries and management tools.

It was discovered that the Apache Qpid daemon (qpidd) did not allow the
number of connections from clients to be restricted. A malicious client
could use this flaw to open an excessive amount of connections, preventing
other legitimate clients from establishing a connection to qpidd.
(CVE-2012-2145)

To address CVE-2012-2145, new qpidd configuration options were introduced:
max-negotiate-time defines the time during which initial protocol
negotiation must succeed, connection-limit-per-user and
connection-limit-per-ip can be used to limit the number of connections per
user and client host IP. Refer to the qpidd manual page for additional
details.

It was discovered that qpidd did not require authentication for "catch-up"
shadow connections created when a new broker joins a cluster. A malicious
client could use this flaw to bypass client authentication. (CVE-2012-3467)

This update also fixes multiple bugs and adds enhancements. Documentation
for these changes will be available shortly from the Technical Notes
document linked to in the References section.

All users of the Messaging capabilities of Red Hat Enterprise MRG 2.2 are
advised to upgrade to these updated packages, which resolve the issues and
add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes.
After installing the updated packages, stop the cluster by either running
"service qpidd stop" on all nodes, or "qpid-cluster --all-stop" on any one
of the cluster nodes. Once stopped, restart the cluster with "service qpidd
start" on all nodes for the update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • MRG Grid from RHUI 2 for RHEL 5 x86_64
  • Red Hat Enterprise MRG Messaging 2 for RHEL 5 x86_64
  • Red Hat Enterprise MRG Messaging 2 for RHEL 5 i386
  • MRG Grid 2 for RHEL 5 x86_64
  • MRG Grid 2 for RHEL 5 i386

Fixes

  • BZ - 689408 - ACL denials while replicating exclusive queues to a newly joined node
  • BZ - 693444 - Inconsistency in clients on reliability of receiver link from exchange
  • BZ - 809357 - "qpid-perftest.exe" and "qpid-latency-test.exe" fail with option "--tcp-nodelay" on Windows
  • BZ - 817175 - CVE-2012-2145 qpid-cpp: not closing incomplete connections exhausts file descriptors, leading to DoS
  • BZ - 836276 - CVE-2012-3467 qpid-cpp-server-cluster: unauthorized broker access caused by the use of NullAuthenticator catch-up shadow connections
  • BZ - 841488 - qpid-stat does not support multi-byte characters (UTF-8)

Red Hat Enterprise MRG Messaging 2 for RHEL 5

SRPM
mrg-release-2.2.0-1.el5.src.rpm SHA-256: f17b7a88ab03f4579000df03d145cc3f783e3bd7e9be506101dd342953a3a9f0
python-qpid-0.14-11.el5.src.rpm SHA-256: 23e2e8b88ea90445f2b4964a76dfb7297a18a65fc28f3851136d4ad4c6be68d9
qpid-cpp-mrg-0.14-22.el5.src.rpm SHA-256: 66d05c6b2b062ee6526fdf3e8c3e9ce1de81800a0c3f918d51df18be95a2f3cc
qpid-java-0.18-2.el5.src.rpm SHA-256: dbb330a30540ad888f6af1e7422c0dd24a14e7c5f18f3d777557fadfc621207c
qpid-jca-0.18-2.el5.src.rpm SHA-256: 248caff0cd5150ef3e6c17f770186085898a6a2fdaacbbe3602c1c7ccd869774
qpid-qmf-0.14-14.el5.src.rpm SHA-256: 5085e806510aab53052331f545931b113fe966fb8beac1f4d3cb6ad7889c95d6
qpid-tools-0.14-6.el5.src.rpm SHA-256: 9fbb4ca786b84b7a7bd8367f1259600fdf22f3f7af54707859bc876bf7f17c74
x86_64
mrg-release-2.2.0-1.el5.noarch.rpm SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06
python-qpid-0.14-11.el5.noarch.rpm SHA-256: cbd10cb081204df63ecc0454a44aee568cad004728873f9bbca6bf8dc80f5543
python-qpid-qmf-0.14-14.el5.x86_64.rpm SHA-256: 4ac304da59d48ccbd7b1fb6ad4bc97ffa36f1fadcc733780c3989a6689c24c87
qpid-cpp-client-0.14-22.el5.x86_64.rpm SHA-256: b271403221cb23650f8920100afe7aee3e78ae28bca5e2f78e6d7db8fba0bd51
qpid-cpp-client-devel-0.14-22.el5.x86_64.rpm SHA-256: 3e2bc4bfddd95c7bef2af20445ab0c141d4260a0212a7a90c9debdbf25db4c73
qpid-cpp-client-devel-docs-0.14-22.el5.x86_64.rpm SHA-256: 052083e2ff43563c9e01f102f558e1e1f730b10549a34b247b5db29b581de62f
qpid-cpp-client-rdma-0.14-22.el5.x86_64.rpm SHA-256: f880e8ae4f243252a6c6fd3006e415aed542c57efc30e89ac2b653e8c990eb53
qpid-cpp-client-ssl-0.14-22.el5.x86_64.rpm SHA-256: 1e028190988f2f471b94827fdad28e68b466af066d8ea72f245caffe55edb516
qpid-cpp-server-0.14-22.el5.x86_64.rpm SHA-256: 963d318cd7c2a8f8148ce4d39c8cc615a3b950a7510f963f399fcd33974a7eb5
qpid-cpp-server-cluster-0.14-22.el5.x86_64.rpm SHA-256: 8b7a14165995af75809cd7d1313f1daa34a4edee41dbc8d17221027f0835b40e
qpid-cpp-server-devel-0.14-22.el5.x86_64.rpm SHA-256: a1071d33c2b88592d82f5dd68209faf158c7347217af3912583de8a08f7ac3f5
qpid-cpp-server-rdma-0.14-22.el5.x86_64.rpm SHA-256: d074d2274cffa8d8d7898901791dfa538df6e4489a184c4bd89329c5162a01ea
qpid-cpp-server-ssl-0.14-22.el5.x86_64.rpm SHA-256: a616e46d1c79df7081873a248dc4d1f2829d878017f61839c2c167abfbe3e6e4
qpid-cpp-server-store-0.14-22.el5.x86_64.rpm SHA-256: 8b6a5dde9d7ea9972ab3b2d1cf40c2a99b49cf1f0da9946cf217f6e0b3ce3566
qpid-cpp-server-xml-0.14-22.el5.x86_64.rpm SHA-256: 698213f02001344864a050ae9a7dd3c257c6a630403c0aad9d2cadd65ae0fda5
qpid-java-client-0.18-2.el5.noarch.rpm SHA-256: 4e79c1c09ceff1995d5ed80a398532c7fd94a4ebce96822c5aac27d5a8bf718b
qpid-java-common-0.18-2.el5.noarch.rpm SHA-256: c71ae8bd8772975211327250c9e07d22b0074f69c71b9d491b0e8fef32e61663
qpid-java-example-0.18-2.el5.noarch.rpm SHA-256: ca544803b8e7d98c2dc9851c03f904665a0f1f505406484de2463ca1708bd506
qpid-jca-0.18-2.el5.noarch.rpm SHA-256: e2d2540997f212615fa48f59bc90f1fd57b915e1e2381655a58cc6459290f49f
qpid-jca-xarecovery-0.18-2.el5.noarch.rpm SHA-256: 77420418276c41671038b9ea2028ceec4728cf01e7f24e9851513e46860160be
qpid-qmf-0.14-14.el5.x86_64.rpm SHA-256: cfaddd56f2ceedd5dfb3cc208cdb5c1a3a707c9808ba3375cabef3c79ddefa07
qpid-qmf-devel-0.14-14.el5.x86_64.rpm SHA-256: ee5323e195edc35aeb9b70c938201f2901f111dc06b9dc0bf4eb4471b8cc7bab
qpid-tools-0.14-6.el5.noarch.rpm SHA-256: 7e419f809a9f30ca835cf4f18d82a4ca4af8da8b0d7ed2d1ee94bcefc89d7fb0
ruby-qpid-qmf-0.14-14.el5.x86_64.rpm SHA-256: 5233524504d40259058a20b4648d8622efb0c47edfcbfa9ea02541ab7b100af3
i386
mrg-release-2.2.0-1.el5.noarch.rpm SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06
python-qpid-0.14-11.el5.noarch.rpm SHA-256: cbd10cb081204df63ecc0454a44aee568cad004728873f9bbca6bf8dc80f5543
python-qpid-qmf-0.14-14.el5.i386.rpm SHA-256: 88cb154edfcca6c097b640b815280f2b56aac8b459d937805ca89c8f0cfd4d8a
qpid-cpp-client-0.14-22.el5.i386.rpm SHA-256: a7ee4639aba07ea9ebe0826a0946007a1fc5b817d7a281f51a1515b892e0b04f
qpid-cpp-client-devel-0.14-22.el5.i386.rpm SHA-256: 1aec8333f5969f01bfe356ddecbf91d3702d58a888f680ba7a774733dd8bed1f
qpid-cpp-client-devel-docs-0.14-22.el5.i386.rpm SHA-256: a26f5c4515630720d3646cd0ab886316f8bd29fb50880a88916b41d2b1056b82
qpid-cpp-client-rdma-0.14-22.el5.i386.rpm SHA-256: ded9a1d2cb2ea6c4712897bf93da132f753588322a3f9e9ca76d4ff46da3bfe9
qpid-cpp-client-ssl-0.14-22.el5.i386.rpm SHA-256: 6a3c22b4a92de3f9883ecee1e7e71cc46097e0733ca0b194ee818541d0ea41cc
qpid-cpp-server-0.14-22.el5.i386.rpm SHA-256: d03d2764b918942a777b3c9f4141d8a889ff1f23eff792885b6e06ddc25eb8fa
qpid-cpp-server-cluster-0.14-22.el5.i386.rpm SHA-256: 332d7265fcfdb02179cf07ee8fecb6a4bc6f5640d47eff65405660c3e0dce596
qpid-cpp-server-devel-0.14-22.el5.i386.rpm SHA-256: 97536d273ea7f65f38f55aeecb4a829021dad08f0dc21707c783b0a33ef0a3e6
qpid-cpp-server-rdma-0.14-22.el5.i386.rpm SHA-256: 10c1a36abe019ae32c5f297a28dd2aa4c1c377eed991cd2d25d1a351157ee390
qpid-cpp-server-ssl-0.14-22.el5.i386.rpm SHA-256: 5042440d0065fa530fd053eb2c6ce521eefb01243014393a64fa370c3d2fcf96
qpid-cpp-server-store-0.14-22.el5.i386.rpm SHA-256: 3e1395d4754d9570b99ab54d01573b7747e2c414dc81b4c8b9e96bc820b9ab3f
qpid-cpp-server-xml-0.14-22.el5.i386.rpm SHA-256: d8243baedb4fafa9d62b9262d3a81d1259b84fc31e39cc004735d6235d5a9b0e
qpid-java-client-0.18-2.el5.noarch.rpm SHA-256: 4e79c1c09ceff1995d5ed80a398532c7fd94a4ebce96822c5aac27d5a8bf718b
qpid-java-common-0.18-2.el5.noarch.rpm SHA-256: c71ae8bd8772975211327250c9e07d22b0074f69c71b9d491b0e8fef32e61663
qpid-java-example-0.18-2.el5.noarch.rpm SHA-256: ca544803b8e7d98c2dc9851c03f904665a0f1f505406484de2463ca1708bd506
qpid-jca-0.18-2.el5.noarch.rpm SHA-256: e2d2540997f212615fa48f59bc90f1fd57b915e1e2381655a58cc6459290f49f
qpid-jca-xarecovery-0.18-2.el5.noarch.rpm SHA-256: 77420418276c41671038b9ea2028ceec4728cf01e7f24e9851513e46860160be
qpid-qmf-0.14-14.el5.i386.rpm SHA-256: 22d55d79afd87c20eccf1313c680822eabd5d13c9c9ff6b952a16fbc22c2c6de
qpid-qmf-devel-0.14-14.el5.i386.rpm SHA-256: 77ec90795833f29472c50f1105c49aec9f55f1a056c1c95b234c59b555ee7da4
qpid-tools-0.14-6.el5.noarch.rpm SHA-256: 7e419f809a9f30ca835cf4f18d82a4ca4af8da8b0d7ed2d1ee94bcefc89d7fb0
ruby-qpid-qmf-0.14-14.el5.i386.rpm SHA-256: 6cb8769c422a206b5ae6514b650cfc90a0bb59f2521cab5f8b450acf27aff8a6

MRG Grid 2 for RHEL 5

SRPM
mrg-release-2.2.0-1.el5.src.rpm SHA-256: f17b7a88ab03f4579000df03d145cc3f783e3bd7e9be506101dd342953a3a9f0
x86_64
mrg-release-2.2.0-1.el5.noarch.rpm SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06
i386
mrg-release-2.2.0-1.el5.noarch.rpm SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06

MRG Grid from RHUI 2 for RHEL 5

SRPM
mrg-release-2.2.0-1.el5.src.rpm SHA-256: f17b7a88ab03f4579000df03d145cc3f783e3bd7e9be506101dd342953a3a9f0
x86_64
mrg-release-2.2.0-1.el5.noarch.rpm SHA-256: c4f961b5445f8f621200e60d95e1b9fbed543d41633a1515addcc5d634241c06

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.