Synopsis

Moderate: qpid-cpp security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated qpid-cpp packages that fix multiple security issues and one bug are
now available for Red Hat Enterprise MRG Messaging 2.5 for Red Hat
Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

The Qpid packages provide a message broker daemon that receives, stores and
routes messages using the open AMQP messaging protocol along with run-time
libraries for AMQP client applications developed using Qpid C++. Clients
exchange messages with an AMQP message broker using the AMQP protocol.

It was discovered that the Qpid daemon (qpidd) did not restrict access to
anonymous users when the ANONYMOUS mechanism was disallowed.
(CVE-2015-0223)

Multiple flaws were found in the way the Qpid daemon (qpidd) processed
certain protocol sequences. An unauthenticated attacker able to send a
specially crafted protocol sequence set could use these flaws to crash
qpidd. (CVE-2015-0203, CVE-2015-0224)

Red Hat would like to thank the Apache Software Foundation for reporting
the CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as
the original reporter.

This update also fixes the following bug:

• Prior to this update, because message purging was performed on a timer
  thread, large purge events could have caused all other timer tasks to be
  delayed. Because heartbeats were also driven by a timer on this thread,
  this could have resulted in clients timing out because they were not
  receiving heartbeats. The fix moves expired message purging from the timer
  thread to a worker thread, which allow long-running expired message purges
  to not affect timer tasks such as the heartbeat timer. (BZ#1142833)
  

All users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat Enterprise
Linux 6 are advised to upgrade to these updated packages, which correct
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise MRG Messaging 2 for RHEL 6 x86_64
• Red Hat Enterprise MRG Messaging 2 for RHEL 6 i386
• MRG Grid Execute 2 x86_64

Fixes

• BZ - 1142833 - Purging TTL expired messages blocks all other timers, causing connection drops
• BZ - 1181721 - CVE-2015-0203 qpid-cpp: 3 qpidd DoS issues in AMQP 0-10 protocol handling
• BZ - 1186302 - CVE-2015-0224 qpid-cpp: AMQP 0-10 protocol sequence-set maximal range DoS (incomplete CVE-2015-0203 fix)
• BZ - 1186308 - CVE-2015-0223 qpid-cpp: anonymous access to qpidd cannot be prevented

CVEs

• CVE-2015-0203
• CVE-2015-0223
• CVE-2015-0224

References

• http://www.redhat.com/security/updates/classification/#normal

Red Hat Enterprise MRG Messaging 2 for RHEL 6

SRPM
qpid-cpp-0.18-38.el6.src.rpm	SHA-256: 7c2f5b19ddba7ac35eda60a8599504b6edfcb4230782bc31a1d4aa50d45a953f
x86_64
qpid-cpp-client-0.18-38.el6.i686.rpm	SHA-256: 8b1b4fbc053bf9c08d725ea57fecdc19fa55685be5bd608ab7e7f5bde5afb443
qpid-cpp-client-0.18-38.el6.x86_64.rpm	SHA-256: 72bce053b28665818295f28355dcb8a6420b69cb7a8c0a2c3e229518da6472d3
qpid-cpp-client-devel-0.18-38.el6.x86_64.rpm	SHA-256: 90bdffbaba12116bf637b1d0e825ddabc98baf3b4855b4ed8d8d7c9a803b4a1c
qpid-cpp-client-devel-docs-0.18-38.el6.noarch.rpm	SHA-256: 0492d61d3596374e0fb6c0caacb08f87636334d3539fa745999bddbaeeec6658
qpid-cpp-client-rdma-0.18-38.el6.x86_64.rpm	SHA-256: 47cbb6f7289df4588ad5dd068978d0038e3b3248b1364cbb1b98fa1d793ad49f
qpid-cpp-client-ssl-0.18-38.el6.i686.rpm	SHA-256: b4461d56f5cb67846914e55e236e91b1e513be381f8d25b9ddfbaabc2f6843dc
qpid-cpp-client-ssl-0.18-38.el6.x86_64.rpm	SHA-256: 14ea170d9d0c952802eb2aae90d8567303029529648ef928ab348d0a1a01e8ab
qpid-cpp-debuginfo-0.18-38.el6.i686.rpm	SHA-256: 94a9700a6a02d086a6e19f1b42e496ba552e21af39c1eda04b58776109cdf259
qpid-cpp-debuginfo-0.18-38.el6.x86_64.rpm	SHA-256: 712df24839cdb15569d190111e4f9f99f7257d7aaec8dd28a8b8c704e4768c1c
qpid-cpp-server-0.18-38.el6.i686.rpm	SHA-256: f8b0c6ec183cfbc587637ffd241c7dd81ed78d5637f90b3399fd9d55019f0b99
qpid-cpp-server-0.18-38.el6.x86_64.rpm	SHA-256: cd8932acba6deaf3ffcfe4fb8723a93f0086f60d6ee200a027d48788c9044b9b
qpid-cpp-server-cluster-0.18-38.el6.x86_64.rpm	SHA-256: 2a3714b85ad69e5cfb2b943570422434198b32414058bb57cd0316546d6ab853
qpid-cpp-server-devel-0.18-38.el6.x86_64.rpm	SHA-256: 663246ba4cb36676ccd223a5b298b32920145c5fbdef8f74ccfbaad8f156334b
qpid-cpp-server-rdma-0.18-38.el6.x86_64.rpm	SHA-256: 3c71feb7177bc7c38d1d45dae2e52a95be6640d6fe8228453bba55be0982d4d9
qpid-cpp-server-ssl-0.18-38.el6.x86_64.rpm	SHA-256: e087fbfbebcec3496ad849922b60f9f966e4559141f988dfa9ed8f24edf06d3f
qpid-cpp-server-store-0.18-38.el6.x86_64.rpm	SHA-256: 613414fc8cbd775f5000007b5ad8b899d75b668be6750119f41f24aaa201441b
qpid-cpp-server-xml-0.18-38.el6.x86_64.rpm	SHA-256: 497b4db40c714fa8723b9bce276a655d50ed6dc5d5463baab2095c5d5e5dd331
i386
qpid-cpp-client-0.18-38.el6.i686.rpm	SHA-256: 8b1b4fbc053bf9c08d725ea57fecdc19fa55685be5bd608ab7e7f5bde5afb443
qpid-cpp-client-devel-0.18-38.el6.i686.rpm	SHA-256: e4d0765ea5f89467ee51d0e239f2e6e3af38fbe57a19e97f8c0e1f0dbc9d78cd
qpid-cpp-client-devel-docs-0.18-38.el6.noarch.rpm	SHA-256: 0492d61d3596374e0fb6c0caacb08f87636334d3539fa745999bddbaeeec6658
qpid-cpp-client-rdma-0.18-38.el6.i686.rpm	SHA-256: 8e59dbbee31aa7f3d200a74cd0202511853a9cb3205dc1318eb230ec158ba737
qpid-cpp-client-ssl-0.18-38.el6.i686.rpm	SHA-256: b4461d56f5cb67846914e55e236e91b1e513be381f8d25b9ddfbaabc2f6843dc
qpid-cpp-debuginfo-0.18-38.el6.i686.rpm	SHA-256: 94a9700a6a02d086a6e19f1b42e496ba552e21af39c1eda04b58776109cdf259
qpid-cpp-server-0.18-38.el6.i686.rpm	SHA-256: f8b0c6ec183cfbc587637ffd241c7dd81ed78d5637f90b3399fd9d55019f0b99
qpid-cpp-server-cluster-0.18-38.el6.i686.rpm	SHA-256: 3b3cf505723dbc1de5f55ffda55a6097d11555b64f2956ae4ce6f2ffa42b414f
qpid-cpp-server-devel-0.18-38.el6.i686.rpm	SHA-256: eff1ae35ca7e233c5aab926b0b5f6e24777338fdd3072f54312401bfd1e7f559
qpid-cpp-server-rdma-0.18-38.el6.i686.rpm	SHA-256: b0e6920f9c1b3f62da64a6b6060d8cac082de9356713d1909618bb4789cbedbd
qpid-cpp-server-ssl-0.18-38.el6.i686.rpm	SHA-256: a6584131f318d2ce3acea82c9f4b1ad83d8245270ba4923c9cbd705d616eff97
qpid-cpp-server-store-0.18-38.el6.i686.rpm	SHA-256: 889eb647a80a1263f93c21e6c46d7bf54d3d6d3f0da78a70f2ae7c7cf44cb290
qpid-cpp-server-xml-0.18-38.el6.i686.rpm	SHA-256: b1ca2e8fd7f194fa1773c7a9a9ab7ed7e3e1d13a43161fc3d43fe2882b1a8331

MRG Grid Execute 2

SRPM
qpid-cpp-0.18-38.el6.src.rpm	SHA-256: 7c2f5b19ddba7ac35eda60a8599504b6edfcb4230782bc31a1d4aa50d45a953f
x86_64
qpid-cpp-client-0.18-38.el6.i686.rpm	SHA-256: 8b1b4fbc053bf9c08d725ea57fecdc19fa55685be5bd608ab7e7f5bde5afb443
qpid-cpp-client-0.18-38.el6.x86_64.rpm	SHA-256: 72bce053b28665818295f28355dcb8a6420b69cb7a8c0a2c3e229518da6472d3
qpid-cpp-client-ssl-0.18-38.el6.i686.rpm	SHA-256: b4461d56f5cb67846914e55e236e91b1e513be381f8d25b9ddfbaabc2f6843dc
qpid-cpp-client-ssl-0.18-38.el6.x86_64.rpm	SHA-256: 14ea170d9d0c952802eb2aae90d8567303029529648ef928ab348d0a1a01e8ab
qpid-cpp-debuginfo-0.18-38.el6.i686.rpm	SHA-256: 94a9700a6a02d086a6e19f1b42e496ba552e21af39c1eda04b58776109cdf259
qpid-cpp-debuginfo-0.18-38.el6.x86_64.rpm	SHA-256: 712df24839cdb15569d190111e4f9f99f7257d7aaec8dd28a8b8c704e4768c1c
qpid-cpp-server-0.18-38.el6.i686.rpm	SHA-256: f8b0c6ec183cfbc587637ffd241c7dd81ed78d5637f90b3399fd9d55019f0b99
qpid-cpp-server-0.18-38.el6.x86_64.rpm	SHA-256: cd8932acba6deaf3ffcfe4fb8723a93f0086f60d6ee200a027d48788c9044b9b
qpid-cpp-server-ssl-0.18-38.el6.x86_64.rpm	SHA-256: e087fbfbebcec3496ad849922b60f9f966e4559141f988dfa9ed8f24edf06d3f