You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2019/04/23 10:25:24 UTC
[qpid-site] branch asf-site updated: update site content for
CVE-2019-0223
This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/qpid-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new e1d2fad update site content for CVE-2019-0223
e1d2fad is described below
commit e1d2fadb9086748e6a51368f83640d80acc3b896
Author: Robbie Gemmell <ro...@apache.org>
AuthorDate: Tue Apr 23 11:24:35 2019 +0100
update site content for CVE-2019-0223
---
.../release-notes.html => cves/CVE-2019-0223.html} | 65 +++++++++++++++-------
content/proton/security.html | 7 +++
.../releases/qpid-proton-0.27.1/release-notes.html | 4 +-
input/cves/CVE-2019-0223.md | 49 ++++++++++++++++
input/proton/security.md | 1 +
input/releases/qpid-proton-0.27.1/release-notes.md | 3 +-
6 files changed, 106 insertions(+), 23 deletions(-)
diff --git a/content/releases/qpid-proton-0.27.1/release-notes.html b/content/cves/CVE-2019-0223.html
similarity index 74%
copy from content/releases/qpid-proton-0.27.1/release-notes.html
copy to content/cves/CVE-2019-0223.html
index 7d6b088..218d0f9 100644
--- a/content/releases/qpid-proton-0.27.1/release-notes.html
+++ b/content/cves/CVE-2019-0223.html
@@ -21,7 +21,7 @@
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
- <title>Qpid Proton 0.27.1 Release Notes - Apache Qpid™</title>
+ <title>CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability - Apache Qpid™</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
@@ -111,34 +111,57 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</div>
<div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-proton-0.27.1/index.html">Qpid Proton 0.27.1</a></li><li>Qpid Proton 0.27.1 Release Notes</li></ul>
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability</li></ul>
<div id="-middle-content">
- <h1 id="qpid-proton-0271-release-notes">Qpid Proton 0.27.1 Release Notes</h1>
+ <h1 id="cve-2019-0223-apache-qpid-proton-tls-man-in-the-middle-vulnerability">CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability</h1>
-<p>Proton is a high-performance, lightweight messaging library. More
-about <a href="/proton/index.html">Qpid Proton</a>.</p>
+<h2 id="severity">Severity</h2>
-<p>For more information about this release, including download links and
-documentation, see the <a href="index.html">release overview</a>.</p>
+<p>Important</p>
-<h2 id="bugs-fixed">Bugs fixed</h2>
+<h2 id="affected-components">Affected components</h2>
-<ul>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-1989">PROTON-1989</a> - TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2004">PROTON-2004</a> - allow compilation with LibreSSL</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2006">PROTON-2006</a> - Service Bus example doesnt work</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2010">PROTON-2010</a> - [python] JSON connection config: comments and SASL mechs don't work</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2014">PROTON-2014</a> - [c] Example broker can silently use anonymous ciphers when misconfigured</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2017">PROTON-2017</a> - [go] fix proton-c version check</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2027">PROTON-2027</a> - Proactor connection wake after memory freed when using pn_proactor_disconnect().</li>
-</ul>
+<p>Qpid Proton (C library and language bindings using it).</p>
-<h2 id="tasks">Tasks</h2>
+<h2 id="affected-versions">Affected versions</h2>
-<ul>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2018">PROTON-2018</a> - [c] Test SSL without python bindings</li>
-</ul>
+<p>0.9 - 0.27.0 inclusive.</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.27.1 and later.</p>
+
+<h2 id="description">Description</h2>
+
+<p>The TLS support in Apache Qpid Proton 0.9 - 0.27.0 can under some
+circumstances connect as a client to a TLS server that offers anonymous
+ciphers irrespective of whether the client was configured to verify the
+server's certificate or certificate against the hostname used to connect.</p>
+
+<p>This means that an undetected man in the middle attack could be
+constructed if an attacker can arrange to intercept TLS traffic.</p>
+
+<p>Versions 0.9 - 0.27.0 are affected when using OpenSSL prior to 1.1.0. This
+includes the Qpid Proton C library, and all language binding libraries using
+it. Installations using the native Windows Schannel TLS implementation or
+using OpenSSL 1.1.0 or later are not affected.</p>
+
+<p>Note that this attack will not work if client certificate authentication is
+in use as anonymous ciphers cannot be used in this case.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Anyone using an affected version with OpenSSL prior to 1.1.0 should upgrade
+their installation to 0.27.1 or higher for fix to this vulnerability.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was identified by the Qpid developers.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/PROTON-2014">PROTON-2014</a></p>
<hr/>
diff --git a/content/proton/security.html b/content/proton/security.html
index 74e8996..83c9aac 100644
--- a/content/proton/security.html
+++ b/content/proton/security.html
@@ -141,6 +141,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<td>0.12.1 and later</td>
<td>Python bindings silently ignore request for amqps if SSL/TLS not supported</td>
</tr>
+<tr>
+ <td><a href="/cves/CVE-2019-0223.html">CVE-2019-0223</a></td>
+ <td>Important</td>
+ <td>0.9 through 0.27.0 inclusive</td>
+ <td>0.27.1 and later</td>
+ <td>TLS Man in the Middle Vulnerability</td>
+</tr>
</tbody>
</table>
diff --git a/content/releases/qpid-proton-0.27.1/release-notes.html b/content/releases/qpid-proton-0.27.1/release-notes.html
index 7d6b088..d0ae40c 100644
--- a/content/releases/qpid-proton-0.27.1/release-notes.html
+++ b/content/releases/qpid-proton-0.27.1/release-notes.html
@@ -122,6 +122,8 @@ about <a href="/proton/index.html">Qpid Proton</a>.</p>
<p>For more information about this release, including download links and
documentation, see the <a href="index.html">release overview</a>.</p>
+<p><strong>Note</strong>: This release addresses security issue <a href="/cves/CVE-2019-0223.html">CVE-2019-0223</a>, a TLS Man in the Middle vulnerability while using OpenSSL prior to v1.1.0.</p>
+
<h2 id="bugs-fixed">Bugs fixed</h2>
<ul>
@@ -129,7 +131,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
<li><a href="https://issues.apache.org/jira/browse/PROTON-2004">PROTON-2004</a> - allow compilation with LibreSSL</li>
<li><a href="https://issues.apache.org/jira/browse/PROTON-2006">PROTON-2006</a> - Service Bus example doesnt work</li>
<li><a href="https://issues.apache.org/jira/browse/PROTON-2010">PROTON-2010</a> - [python] JSON connection config: comments and SASL mechs don't work</li>
-<li><a href="https://issues.apache.org/jira/browse/PROTON-2014">PROTON-2014</a> - [c] Example broker can silently use anonymous ciphers when misconfigured</li>
+<li><a href="https://issues.apache.org/jira/browse/PROTON-2014">PROTON-2014</a> - [CVE-2019-0223] TLS Man in the Middle Vulnerability</li>
<li><a href="https://issues.apache.org/jira/browse/PROTON-2017">PROTON-2017</a> - [go] fix proton-c version check</li>
<li><a href="https://issues.apache.org/jira/browse/PROTON-2027">PROTON-2027</a> - Proactor connection wake after memory freed when using pn_proactor_disconnect().</li>
</ul>
diff --git a/input/cves/CVE-2019-0223.md b/input/cves/CVE-2019-0223.md
new file mode 100644
index 0000000..a813aad
--- /dev/null
+++ b/input/cves/CVE-2019-0223.md
@@ -0,0 +1,49 @@
+# CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability
+
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Proton (C library and language bindings using it).
+
+## Affected versions
+
+0.9 - 0.27.0 inclusive.
+
+## Fixed versions
+
+0.27.1 and later.
+
+## Description
+
+The TLS support in Apache Qpid Proton 0.9 - 0.27.0 can under some
+circumstances connect as a client to a TLS server that offers anonymous
+ciphers irrespective of whether the client was configured to verify the
+server's certificate or certificate against the hostname used to connect.
+
+This means that an undetected man in the middle attack could be
+constructed if an attacker can arrange to intercept TLS traffic.
+
+Versions 0.9 - 0.27.0 are affected when using OpenSSL prior to 1.1.0. This
+includes the Qpid Proton C library, and all language binding libraries using
+it. Installations using the native Windows Schannel TLS implementation or
+using OpenSSL 1.1.0 or later are not affected.
+
+Note that this attack will not work if client certificate authentication is
+in use as anonymous ciphers cannot be used in this case.
+
+## Resolution
+
+Anyone using an affected version with OpenSSL prior to 1.1.0 should upgrade
+their installation to 0.27.1 or higher for fix to this vulnerability.
+
+## Credit
+
+This issue was identified by the Qpid developers.
+
+## References
+
+[PROTON-2014](https://issues.apache.org/jira/browse/PROTON-2014)
diff --git a/input/proton/security.md b/input/proton/security.md
index e793119..052d3f9 100644
--- a/input/proton/security.md
+++ b/input/proton/security.md
@@ -23,6 +23,7 @@
| ------ | -------- | ----------------- | -------------- | ------- |
| [CVE-2016-4467]({{site_url}}/cves/CVE-2016-4467.html) | Medium | 0.8 through 0.13.0 inclusive | 0.13.1 and later | Failure to verify that the server host name matches the certificate host name on Windows |
| [CVE-2016-2166]({{site_url}}/cves/CVE-2016-2166.html) | Moderate | 0.9 through 0.12.0 inclusive | 0.12.1 and later | Python bindings silently ignore request for amqps if SSL/TLS not supported |
+| [CVE-2019-0223]({{site_url}}/cves/CVE-2019-0223.html) | Important | 0.9 through 0.27.0 inclusive | 0.27.1 and later | TLS Man in the Middle Vulnerability |
See the main [Security]({{site_url}}/security.html) page for general
information and details for other components.
diff --git a/input/releases/qpid-proton-0.27.1/release-notes.md b/input/releases/qpid-proton-0.27.1/release-notes.md
index de963b1..9deb0c8 100644
--- a/input/releases/qpid-proton-0.27.1/release-notes.md
+++ b/input/releases/qpid-proton-0.27.1/release-notes.md
@@ -25,6 +25,7 @@ about [Qpid Proton]({{site_url}}/proton/index.html).
For more information about this release, including download links and
documentation, see the [release overview](index.html).
+**Note**: This release addresses security issue [CVE-2019-0223]({{site_url}}/cves/CVE-2019-0223.html), a TLS Man in the Middle vulnerability while using OpenSSL prior to v1.1.0.
## Bugs fixed
@@ -32,7 +33,7 @@ documentation, see the [release overview](index.html).
- [PROTON-2004](https://issues.apache.org/jira/browse/PROTON-2004) - allow compilation with LibreSSL
- [PROTON-2006](https://issues.apache.org/jira/browse/PROTON-2006) - Service Bus example doesnt work
- [PROTON-2010](https://issues.apache.org/jira/browse/PROTON-2010) - [python] JSON connection config: comments and SASL mechs don't work
- - [PROTON-2014](https://issues.apache.org/jira/browse/PROTON-2014) - [c] Example broker can silently use anonymous ciphers when misconfigured
+ - [PROTON-2014](https://issues.apache.org/jira/browse/PROTON-2014) - [CVE-2019-0223] TLS Man in the Middle Vulnerability
- [PROTON-2017](https://issues.apache.org/jira/browse/PROTON-2017) - [go] fix proton-c version check
- [PROTON-2027](https://issues.apache.org/jira/browse/PROTON-2027) - Proactor connection wake after memory freed when using pn_proactor_disconnect().
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org