You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa AMQ Clients

Sigurnosni nedostaci programskog paketa AMQ Clients

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: AMQ Clients 2.6.0 Release
Advisory ID: RHSA-2020:0601-01
Product: Red Hat AMQ Clients
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0601
Issue date: 2020-02-25
CVE Names: CVE-2019-20444 CVE-2019-20445 CVE-2020-7238
=====================================================================

1. Summary:

An update is now available for Red Hat AMQ Clients 2.6.0. Red Hat Product
Security has rated this update as having a security impact of Important.

A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

6Client-AMQ-Clients-2 – i386, noarch, x86_64
6ComputeNode-AMQ-Clients-2 – noarch, x86_64
6Server-AMQ-Clients-2 – i386, noarch, x86_64
6Workstation-AMQ-Clients-2 – i386, noarch, x86_64
7Client-AMQ-Clients-2 – noarch, x86_64
7ComputeNode-AMQ-Clients-2 – noarch, x86_64
7Server-AMQ-Clients-2 – noarch, x86_64
7Workstation-AMQ-Clients-2 – noarch, x86_64
8Base-AMQ-Clients-2 – noarch, x86_64

3. Description:

Red Hat AMQ Clients enable connecting, sending, and receiving messages over
the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7.

This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 6,
7, and 8.

Security Fix(es):

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied
by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
mishandling (CVE-2020-7238)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1796225 – CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
1798509 – CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1798524 – CVE-2019-20444 netty: HTTP request smuggling

6. JIRA issues fixed (https://issues.jboss.org/):

ENTMQCL-1075 – [python] Example broker.py is using collections.deque.count from Python 2.7
ENTMQCL-1076 – [python] Example abstract_server.py is using relative import
ENTMQCL-1246 – [python] Install egg-info directory
ENTMQCL-1287 – [python] Read a config file to get default connection parameters (Windows)
ENTMQCL-1322 – amqpnetlite-sdk-2.1.6 does not export resource strings
ENTMQCL-1361 – [python] Convert strings in the API to AMQP symbols where required
ENTMQCL-1364 – [python] P2P detach frame not received results in connection aborted
ENTMQCL-1578 – [python] qpid-proton-0.28.0-1.el7 leaks memory
ENTMQCL-1583 – [doc] Broken links in rh-messaging/amq-docs master
ENTMQCL-1635 – [javascript] File-based connection configuration can’t use named ports
ENTMQCL-1641 – [dotnet] Update AMQ .NET Client based on amqpnetlite 2.2
ENTMQCL-1679 – [python] HOME location of file-based connection configuration does not point to HOME location
ENTMQCL-1717 – [python] Default port should be amqps
ENTMQCL-1726 – [jms] Improve performance when using simulated anonymous producers
ENTMQCL-1781 – Established connections are aborted after the system clock is shifted forward
ENTMQCL-1818 – [javascript] npm install fails due to missing configuration file for ESLint
ENTMQCL-1835 – [jms] client-ack consumers don’t increment remote delivery count on closure after fresh recover

7. Package List:

6Client-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6ComputeNode-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6Server-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6Workstation-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

7Client-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7ComputeNode-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7Server-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7Workstation-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

8Base-AMQ-Clients-2:

Source:
nodejs-rhea-1.0.16-1.el8.src.rpm
qpid-proton-0.30.0-3.el8.src.rpm
rubygem-qpid_proton-0.30.0-1.el8.src.rpm

noarch:
nodejs-rhea-1.0.16-1.el8.noarch.rpm
python-qpid-proton-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-c-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-cpp-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-tests-0.30.0-3.el8.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el8.noarch.rpm

x86_64:
python3-qpid-proton-0.30.0-3.el8.x86_64.rpm
python3-qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-debugsource-0.30.0-3.el8.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el8.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2019-20444
https://access.redhat.com/security/cve/CVE-2019-20445
https://access.redhat.com/security/cve/CVE-2020-7238
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_amq/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXlU9u9zjgjWX9erEAQjJRg/9EWdSUKhNIQBO7WFXvi/PO/2ebxBePbDH
l0mUNYaOeKyLJvSDLdE8OY25r1zdG6ZgrZLsiPUV31MLlyqXIUXPpFaylv74yZDy
/oP8HnhaHQ29/RhooT5QLxqyCF7f4Bh+1C8VrrwSVKVvlt0Nwz3pC2uZudD6qv8r
juZ8qNjWaQrD5RjWNKljRIzP/VWTU+9GTpACHmK5aTzcN+IgwSP+xJ9oIxnCvjNZ
OhEPTnbYwVA645klWUpFKlj/eFIPSVl3/LTY3F5U1RPlU8qAGIBqPS6gUJSvFg5i
HPOSa0yhFYD7jnPOR4SC24+/eLJaroP+GmnujWGSR10wnE4UZzoFtaw1OJblMdPt
8Ucs5Y0h7KBZwirSLVKEn8hW92cb3IjnCWde4aZjg46fbXrpeGi0tCtE+gh3shUC
3EBEtgU3/I3FoakQty7ePe6YHfFN3+u8Z3TsIQ9GJUCtZj/eeQyqGKLFgAncA6O6
cfZTDMzDU36snL11T8hAcVi2AKoJTxkbqzKy/A28xT11FYrGAGkATsb7mH16CRb9
zFmcsOEdNYBnh7r6QIeJmo0dyFLvAHUfjTabYqimPqABqhvjPeWc2OH5wXuyxV7l
nHSLM62VhwLcRF5AAvxaNL+QE1B0GUH69Bhqn++0iTVoop0vluvE0DS5T4Gu0AYQ
ZlNPuesCwnc=
=ypok
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

AutorToni Vugdelija
Cert idNCERT-REF-2020-02-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci jezgre operacijskog sustava RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja, izvršavanje proizvoljnog programskog koda...

Close