Red Hat Product Errata RHSA-2015:0662 - Security Advisory

Issued:: 2015-03-09
Updated:: 2015-03-09

RHSA-2015:0662 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: qpid-cpp security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated qpid-cpp packages that fix multiple security issues and one bug are
now available for Red Hat Enterprise MRG Messaging 2.5 for Red Hat
Enterprise Linux 5.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

The Qpid packages provide a message broker daemon that receives, stores and
routes messages using the open AMQP messaging protocol along with run-time
libraries for AMQP client applications developed using Qpid C++. Clients
exchange messages with an AMQP message broker using the AMQP protocol.

It was discovered that the Qpid daemon (qpidd) did not restrict access to
anonymous users when the ANONYMOUS mechanism was disallowed.
(CVE-2015-0223)

Multiple flaws were found in the way the Qpid daemon (qpidd) processed
certain protocol sequences. An unauthenticated attacker able to send a
specially crafted protocol sequence set could use these flaws to crash
qpidd. (CVE-2015-0203, CVE-2015-0224)

Red Hat would like to thank the Apache Software Foundation for reporting
the CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as
the original reporter.

This update also fixes the following bug:

Prior to this update, because message purging was performed on a timer
thread, large purge events could have caused all other timer tasks to be
delayed. Because heartbeats were also driven by a timer on this thread,
this could have resulted in clients timing out because they were not
receiving heartbeats. The fix moves expired message purging from the timer
thread to a worker thread, which allow long-running expired message purges
to not affect timer tasks such as the heartbeat timer. (BZ#1142833)

All users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat Enterprise
Linux 5 are advised to upgrade to these updated packages, which correct
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise MRG Messaging 2 for RHEL 5 x86_64
Red Hat Enterprise MRG Messaging 2 for RHEL 5 i386

Fixes

BZ - 1181721 - CVE-2015-0203 qpid-cpp: 3 qpidd DoS issues in AMQP 0-10 protocol handling
BZ - 1186302 - CVE-2015-0224 qpid-cpp: AMQP 0-10 protocol sequence-set maximal range DoS (incomplete CVE-2015-0203 fix)
BZ - 1186308 - CVE-2015-0223 qpid-cpp: anonymous access to qpidd cannot be prevented
BZ - 1191757 - MRG-M 2.5.13 RHEL-5 errata placeholder

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise MRG Messaging 2 for RHEL 5

SRPM
qpid-cpp-mrg-0.18-38.el5_10.src.rpm	SHA-256: 7e0ed184b00f58b94f07e1188114f8507e15a2575e3ba28d6dbd24d81f30694c
x86_64
qpid-cpp-client-0.18-38.el5_10.x86_64.rpm	SHA-256: ca8bcbde77eb4a69f3277b95fa9341a2b134096fdb12ad93140af3c8ca5b67e3
qpid-cpp-client-devel-0.18-38.el5_10.x86_64.rpm	SHA-256: 93869bb9b519f3f0b3657eb7f6dab9c0714a53745eb3afa98441181f65d49898
qpid-cpp-client-devel-docs-0.18-38.el5_10.x86_64.rpm	SHA-256: 3a7b88b66dd5a36fb4498114255200a8498e3db4c5fac37932d280933c6e4b5f
qpid-cpp-client-rdma-0.18-38.el5_10.x86_64.rpm	SHA-256: 251b2caf668c226ed3556fde9295100a4e2534e62e3ec31374ad97a7db7bfb51
qpid-cpp-client-ssl-0.18-38.el5_10.x86_64.rpm	SHA-256: af1b635e719e622a37a2a4e97a3d5d6e882bb9a073160dc419a939fa7ebf3bcb
qpid-cpp-server-0.18-38.el5_10.x86_64.rpm	SHA-256: ffc66bb3a4108f5138358d13665ff6d481d6c36d4e946687e323478e8a02880c
qpid-cpp-server-cluster-0.18-38.el5_10.x86_64.rpm	SHA-256: 69042e51e439005ccefd79890890492bd07a9744aed799b1f52ba5b403185e57
qpid-cpp-server-devel-0.18-38.el5_10.x86_64.rpm	SHA-256: 2684e39a7ef3a0e09b32599b5c52f01fe531927187a7266b051f1d5117b473dc
qpid-cpp-server-rdma-0.18-38.el5_10.x86_64.rpm	SHA-256: b317d59c605d17425f477e80d292a375893d9255ad63c274596df3deedd90317
qpid-cpp-server-ssl-0.18-38.el5_10.x86_64.rpm	SHA-256: 57d65ac73c97cd100839b7914b8f4631a3175924e6e1033230b51c5f96ce27d3
qpid-cpp-server-store-0.18-38.el5_10.x86_64.rpm	SHA-256: 8e5081f6040b1197d6f8968699d1db2a9186c91c5ff7a378f64af7b5c095786b
qpid-cpp-server-xml-0.18-38.el5_10.x86_64.rpm	SHA-256: 2e1030f990ff2639e7eafdcaaed4666c7e5093faae0b8ffd3b03811bdc63b58c
i386
qpid-cpp-client-0.18-38.el5_10.i386.rpm	SHA-256: 00f6f81f473779212c91681af0d2ab7178528f40944025dd720c0c3ed7b4ad74
qpid-cpp-client-devel-0.18-38.el5_10.i386.rpm	SHA-256: c12ea8a1e67b5a1b62b9da762fb0d05db607d26aa6b5c3cbeb4abc9afd7ab90e
qpid-cpp-client-devel-docs-0.18-38.el5_10.i386.rpm	SHA-256: 5d2932a9340f69c8a620a0588d913f164ef131b3e4771f6ef8328667e751d439
qpid-cpp-client-rdma-0.18-38.el5_10.i386.rpm	SHA-256: 4d0c48a7b39314ff5c6789d87ca9e4ca8727a8d973a9fa5fa055ec351c0f6b11
qpid-cpp-client-ssl-0.18-38.el5_10.i386.rpm	SHA-256: e3a0e05f30637fd87e105b2bb430287d3ad8beb8a2b7bb924f63eed6a8f39022
qpid-cpp-server-0.18-38.el5_10.i386.rpm	SHA-256: 80744172d5c298cf73cf26b77dec431ccfea8830d7312f4bfc198b931d0a6550
qpid-cpp-server-cluster-0.18-38.el5_10.i386.rpm	SHA-256: a6bbe0e71866bacb8b2309ddbca9ff04b1d26aab33c035c455f01635d5a676fe
qpid-cpp-server-devel-0.18-38.el5_10.i386.rpm	SHA-256: 6d03b27ae1a3cb9fe7b4c199b1068ad4e6dd73e7f9a6e5718a7f7488451cf80f
qpid-cpp-server-rdma-0.18-38.el5_10.i386.rpm	SHA-256: 7f6596d93a8fe9ac4aa2c4e61752a3c1fea1e44ee555b421f596b3016c9538cf
qpid-cpp-server-ssl-0.18-38.el5_10.i386.rpm	SHA-256: e27cc26d340e3deade3b3ecf040bda3e4ce48c36305c2605b4135fa48acb270c
qpid-cpp-server-store-0.18-38.el5_10.i386.rpm	SHA-256: 8ad5a6504badb237bac430f79ecff0ec0553474db4eea0c62e8b7f9be0823689
qpid-cpp-server-xml-0.18-38.el5_10.i386.rpm	SHA-256: 9618b2f0daf52ebbbd886a9058818c12ba1e6eecfe75ecbd1feae3908f545b07

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories