You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2016/12/28 12:27:55 UTC

qpid-site git commit: Update CVE vulnerability details for Qpid Broker for Java in security page and release notes for 6.0.6 and 6.1.1

Repository: qpid-site
Updated Branches:
  refs/heads/asf-site dfee4d58b -> b688a1f44


Update CVE vulnerability details for Qpid Broker for Java in security page and release notes for 6.0.6 and 6.1.1


Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/b688a1f4
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/b688a1f4
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/b688a1f4

Branch: refs/heads/asf-site
Commit: b688a1f4466adf236d327d54a7bceceab35b6aa9
Parents: dfee4d5
Author: Alex Rudyy <or...@apache.org>
Authored: Wed Dec 28 12:26:15 2016 +0000
Committer: Alex Rudyy <or...@apache.org>
Committed: Wed Dec 28 12:26:15 2016 +0000

----------------------------------------------------------------------
 content/components/java-broker/security.html    | 32 ++++++++++++++++++++
 .../releases/qpid-java-6.0.6/release-notes.html |  1 +
 .../releases/qpid-java-6.1.1/release-notes.html |  1 +
 input/components/java-broker/security.md        | 32 ++++++++++++++++++++
 input/releases/qpid-java-6.0.6/release-notes.md |  3 +-
 input/releases/qpid-java-6.1.1/release-notes.md |  3 +-
 6 files changed, 70 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/components/java-broker/security.html
----------------------------------------------------------------------
diff --git a/content/components/java-broker/security.html b/content/components/java-broker/security.html
index 0e45753..0c845d6 100644
--- a/content/components/java-broker/security.html
+++ b/content/components/java-broker/security.html
@@ -205,6 +205,38 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
         </div>
       </td>
     </tr>
+    <tr>
+      <td>CVE-2016-8741</td>
+      <td>Moderate</td>
+      <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
+      <td><a href="/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="/releases/qpid-java-6.1.1/">6.1.1</a></td>
+      <td>
+        Information Leakage.
+        <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+        <div style="display:none;" id="CVE-2016-8741_details">
+          <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
+          6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
+          <p>Description: The Qpid Broker for Java can be configured to use different so
+             called AuthenticationProviders to handle user authentication.<br/>
+             Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
+             AuthenticationProvider types.
+
+             It was discovered that these AuthenticationProviders prematurely
+             terminate the SCRAM SASL negotiation if the provided user name
+             does not exist thus allowing remote attacker to determine the
+             existence of user accounts.<br/>
+
+             The Vulnerability does not apply to AuthenticationProviders other
+             than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
+          <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
+             6.1.1, or later (recommended).
+             If upgrading is not possible, the vulnerability can be mitigated
+             by using an AuthenticationProvider other than SCRAM-SHA-1 and
+             SCRAM-SHA-256. </p>
+          <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
+        </div>
+      </td>
+    </tr>
   </tbody>
 </table>
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/releases/qpid-java-6.0.6/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-java-6.0.6/release-notes.html b/content/releases/qpid-java-6.0.6/release-notes.html
index 0a305c5..db573d7 100644
--- a/content/releases/qpid-java-6.0.6/release-notes.html
+++ b/content/releases/qpid-java-6.0.6/release-notes.html
@@ -129,6 +129,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7470">QPID-7470</a> - [Java Broker] Address javax.xml.bind.DatatypeConverter shortcomings</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7508">QPID-7508</a> - Broker occasionally fails to report SUB-1003 in response to a consumer that has become suspended</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7560">QPID-7560</a> - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE</li>
+<li><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a> - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers</li>
 </ul>
 
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/releases/qpid-java-6.1.1/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-java-6.1.1/release-notes.html b/content/releases/qpid-java-6.1.1/release-notes.html
index 00272e2..bae6bfd 100644
--- a/content/releases/qpid-java-6.1.1/release-notes.html
+++ b/content/releases/qpid-java-6.1.1/release-notes.html
@@ -142,6 +142,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7549">QPID-7549</a> - [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7560">QPID-7560</a> - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE</li>
 <li><a href="https://issues.apache.org/jira/browse/QPID-7577">QPID-7577</a> - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init</li>
+<li><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a> - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers</li>
 </ul>
 
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
index 5706aae..776e4db 100644
--- a/input/components/java-broker/security.md
+++ b/input/components/java-broker/security.md
@@ -108,6 +108,38 @@
         </div>
       </td>
     </tr>
+    <tr>
+      <td>CVE-2016-8741</td>
+      <td>Moderate</td>
+      <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
+      <td><a href="{{site_url}}/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="{{site_url}}/releases/qpid-java-6.1.1/">6.1.1</a></td>
+      <td>
+        Information Leakage.
+        <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+        <div style="display:none;" id="CVE-2016-8741_details">
+          <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
+          6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
+          <p>Description: The Qpid Broker for Java can be configured to use different so
+             called AuthenticationProviders to handle user authentication.<br/>
+             Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
+             AuthenticationProvider types.
+
+             It was discovered that these AuthenticationProviders prematurely
+             terminate the SCRAM SASL negotiation if the provided user name
+             does not exist thus allowing remote attacker to determine the
+             existence of user accounts.<br/>
+
+             The Vulnerability does not apply to AuthenticationProviders other
+             than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
+          <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
+             6.1.1, or later (recommended).
+             If upgrading is not possible, the vulnerability can be mitigated
+             by using an AuthenticationProvider other than SCRAM-SHA-1 and
+             SCRAM-SHA-256. </p>
+          <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
+        </div>
+      </td>
+    </tr>
   </tbody>
 </table>
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/releases/qpid-java-6.0.6/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-java-6.0.6/release-notes.md b/input/releases/qpid-java-6.0.6/release-notes.md
index 4467829..7c6388c 100644
--- a/input/releases/qpid-java-6.0.6/release-notes.md
+++ b/input/releases/qpid-java-6.0.6/release-notes.md
@@ -31,4 +31,5 @@ documentation, see the [release overview](index.html).
 
  - [QPID-7470](https://issues.apache.org/jira/browse/QPID-7470) - [Java Broker] Address javax.xml.bind.DatatypeConverter shortcomings
  - [QPID-7508](https://issues.apache.org/jira/browse/QPID-7508) - Broker occasionally fails to report SUB-1003 in response to a consumer that has become suspended
- - [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
\ No newline at end of file
+ - [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
+ - [QPID-7599](https://issues.apache.org/jira/browse/QPID-7599) - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/releases/qpid-java-6.1.1/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-java-6.1.1/release-notes.md b/input/releases/qpid-java-6.1.1/release-notes.md
index e46ebe5..26c4a7a 100644
--- a/input/releases/qpid-java-6.1.1/release-notes.md
+++ b/input/releases/qpid-java-6.1.1/release-notes.md
@@ -42,4 +42,5 @@ documentation, see the [release overview](index.html).
  - [QPID-7548](https://issues.apache.org/jira/browse/QPID-7548) - [Java Broker] Upgrade of configuration from model version 3 fails
  - [QPID-7549](https://issues.apache.org/jira/browse/QPID-7549) - [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)
  - [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
- - [QPID-7577](https://issues.apache.org/jira/browse/QPID-7577) - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init
\ No newline at end of file
+ - [QPID-7577](https://issues.apache.org/jira/browse/QPID-7577) - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init
+ - [QPID-7599](https://issues.apache.org/jira/browse/QPID-7599) - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org