You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2016/12/28 12:27:55 UTC
qpid-site git commit: Update CVE vulnerability details for Qpid
Broker for Java in security page and release notes for 6.0.6 and 6.1.1
Repository: qpid-site
Updated Branches:
refs/heads/asf-site dfee4d58b -> b688a1f44
Update CVE vulnerability details for Qpid Broker for Java in security page and release notes for 6.0.6 and 6.1.1
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/b688a1f4
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/b688a1f4
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/b688a1f4
Branch: refs/heads/asf-site
Commit: b688a1f4466adf236d327d54a7bceceab35b6aa9
Parents: dfee4d5
Author: Alex Rudyy <or...@apache.org>
Authored: Wed Dec 28 12:26:15 2016 +0000
Committer: Alex Rudyy <or...@apache.org>
Committed: Wed Dec 28 12:26:15 2016 +0000
----------------------------------------------------------------------
content/components/java-broker/security.html | 32 ++++++++++++++++++++
.../releases/qpid-java-6.0.6/release-notes.html | 1 +
.../releases/qpid-java-6.1.1/release-notes.html | 1 +
input/components/java-broker/security.md | 32 ++++++++++++++++++++
input/releases/qpid-java-6.0.6/release-notes.md | 3 +-
input/releases/qpid-java-6.1.1/release-notes.md | 3 +-
6 files changed, 70 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/components/java-broker/security.html
----------------------------------------------------------------------
diff --git a/content/components/java-broker/security.html b/content/components/java-broker/security.html
index 0e45753..0c845d6 100644
--- a/content/components/java-broker/security.html
+++ b/content/components/java-broker/security.html
@@ -205,6 +205,38 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</div>
</td>
</tr>
+ <tr>
+ <td>CVE-2016-8741</td>
+ <td>Moderate</td>
+ <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
+ <td><a href="/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="/releases/qpid-java-6.1.1/">6.1.1</a></td>
+ <td>
+ Information Leakage.
+ <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE-2016-8741_details">
+ <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
+ 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
+ <p>Description: The Qpid Broker for Java can be configured to use different so
+ called AuthenticationProviders to handle user authentication.<br/>
+ Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
+ AuthenticationProvider types.
+
+ It was discovered that these AuthenticationProviders prematurely
+ terminate the SCRAM SASL negotiation if the provided user name
+ does not exist thus allowing remote attacker to determine the
+ existence of user accounts.<br/>
+
+ The Vulnerability does not apply to AuthenticationProviders other
+ than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
+ <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
+ 6.1.1, or later (recommended).
+ If upgrading is not possible, the vulnerability can be mitigated
+ by using an AuthenticationProvider other than SCRAM-SHA-1 and
+ SCRAM-SHA-256. </p>
+ <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
+ </div>
+ </td>
+ </tr>
</tbody>
</table>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/releases/qpid-java-6.0.6/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-java-6.0.6/release-notes.html b/content/releases/qpid-java-6.0.6/release-notes.html
index 0a305c5..db573d7 100644
--- a/content/releases/qpid-java-6.0.6/release-notes.html
+++ b/content/releases/qpid-java-6.0.6/release-notes.html
@@ -129,6 +129,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
<li><a href="https://issues.apache.org/jira/browse/QPID-7470">QPID-7470</a> - [Java Broker] Address javax.xml.bind.DatatypeConverter shortcomings</li>
<li><a href="https://issues.apache.org/jira/browse/QPID-7508">QPID-7508</a> - Broker occasionally fails to report SUB-1003 in response to a consumer that has become suspended</li>
<li><a href="https://issues.apache.org/jira/browse/QPID-7560">QPID-7560</a> - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE</li>
+<li><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a> - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers</li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/content/releases/qpid-java-6.1.1/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-java-6.1.1/release-notes.html b/content/releases/qpid-java-6.1.1/release-notes.html
index 00272e2..bae6bfd 100644
--- a/content/releases/qpid-java-6.1.1/release-notes.html
+++ b/content/releases/qpid-java-6.1.1/release-notes.html
@@ -142,6 +142,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
<li><a href="https://issues.apache.org/jira/browse/QPID-7549">QPID-7549</a> - [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)</li>
<li><a href="https://issues.apache.org/jira/browse/QPID-7560">QPID-7560</a> - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE</li>
<li><a href="https://issues.apache.org/jira/browse/QPID-7577">QPID-7577</a> - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init</li>
+<li><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a> - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers</li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
index 5706aae..776e4db 100644
--- a/input/components/java-broker/security.md
+++ b/input/components/java-broker/security.md
@@ -108,6 +108,38 @@
</div>
</td>
</tr>
+ <tr>
+ <td>CVE-2016-8741</td>
+ <td>Moderate</td>
+ <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
+ <td><a href="{{site_url}}/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="{{site_url}}/releases/qpid-java-6.1.1/">6.1.1</a></td>
+ <td>
+ Information Leakage.
+ <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE-2016-8741_details">
+ <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
+ 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
+ <p>Description: The Qpid Broker for Java can be configured to use different so
+ called AuthenticationProviders to handle user authentication.<br/>
+ Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
+ AuthenticationProvider types.
+
+ It was discovered that these AuthenticationProviders prematurely
+ terminate the SCRAM SASL negotiation if the provided user name
+ does not exist thus allowing remote attacker to determine the
+ existence of user accounts.<br/>
+
+ The Vulnerability does not apply to AuthenticationProviders other
+ than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
+ <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
+ 6.1.1, or later (recommended).
+ If upgrading is not possible, the vulnerability can be mitigated
+ by using an AuthenticationProvider other than SCRAM-SHA-1 and
+ SCRAM-SHA-256. </p>
+ <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
+ </div>
+ </td>
+ </tr>
</tbody>
</table>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/releases/qpid-java-6.0.6/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-java-6.0.6/release-notes.md b/input/releases/qpid-java-6.0.6/release-notes.md
index 4467829..7c6388c 100644
--- a/input/releases/qpid-java-6.0.6/release-notes.md
+++ b/input/releases/qpid-java-6.0.6/release-notes.md
@@ -31,4 +31,5 @@ documentation, see the [release overview](index.html).
- [QPID-7470](https://issues.apache.org/jira/browse/QPID-7470) - [Java Broker] Address javax.xml.bind.DatatypeConverter shortcomings
- [QPID-7508](https://issues.apache.org/jira/browse/QPID-7508) - Broker occasionally fails to report SUB-1003 in response to a consumer that has become suspended
- - [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
\ No newline at end of file
+ - [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
+ - [QPID-7599](https://issues.apache.org/jira/browse/QPID-7599) - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/b688a1f4/input/releases/qpid-java-6.1.1/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-java-6.1.1/release-notes.md b/input/releases/qpid-java-6.1.1/release-notes.md
index e46ebe5..26c4a7a 100644
--- a/input/releases/qpid-java-6.1.1/release-notes.md
+++ b/input/releases/qpid-java-6.1.1/release-notes.md
@@ -42,4 +42,5 @@ documentation, see the [release overview](index.html).
- [QPID-7548](https://issues.apache.org/jira/browse/QPID-7548) - [Java Broker] Upgrade of configuration from model version 3 fails
- [QPID-7549](https://issues.apache.org/jira/browse/QPID-7549) - [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)
- [QPID-7560](https://issues.apache.org/jira/browse/QPID-7560) - AbstractVirtualHost defines two state transitions from ERROR to ACTIVE
- - [QPID-7577](https://issues.apache.org/jira/browse/QPID-7577) - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init
\ No newline at end of file
+ - [QPID-7577](https://issues.apache.org/jira/browse/QPID-7577) - [Java Broker] Generic JDBC configuration store mistakenly is put into OPEN state in init
+ - [QPID-7599](https://issues.apache.org/jira/browse/QPID-7599) - [CVE-2016-8741] Prevent leaking information about the existence of user accounts in SCRAM-SHA256/SCRAM-SHA1 authentication providers
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org