You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/06/06 14:01:43 UTC
[1/2] qpid-site git commit: Move javascript to deferred.js as per
Justins review comments
Repository: qpid-site
Updated Branches:
refs/heads/asf-site 79eb6b382 -> 686c59e50
Move javascript to deferred.js as per Justins review comments
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/d1372781
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/d1372781
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/d1372781
Branch: refs/heads/asf-site
Commit: d1372781e916f73b5986fc860bf04d7b1c746da0
Parents: 79eb6b3
Author: Lorenz Quack <lq...@apache.org>
Authored: Mon Jun 6 09:17:46 2016 +0100
Committer: Lorenz Quack <lq...@apache.org>
Committed: Mon Jun 6 09:17:46 2016 +0100
----------------------------------------------------------------------
input/_transom_template.html | 1 -
input/components/cpp-broker/security.md | 8 ++++----
input/components/java-broker/security.md | 4 ++--
input/deferred.js | 12 ++++++++++++
input/site.js | 11 -----------
5 files changed, 18 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d1372781/input/_transom_template.html
----------------------------------------------------------------------
diff --git a/input/_transom_template.html b/input/_transom_template.html
index 71aa813..5cf23ac 100644
--- a/input/_transom_template.html
+++ b/input/_transom_template.html
@@ -28,7 +28,6 @@
<link rel="stylesheet" href="{{site_url}}/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="{{site_url}}/deferred.js" defer="defer"></script>
- <script type="text/javascript" src="{{site_url}}/site.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="{{site_url}}/ie.css" type="text/css"/>
<script type="text/javascript" src="{{site_url}}/html5shiv.js"></script>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d1372781/input/components/cpp-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md
index 8dd34d2..5c80935 100644
--- a/input/components/cpp-broker/security.md
+++ b/input/components/cpp-broker/security.md
@@ -36,7 +36,7 @@
<td>0.30 and earlier</td>
<td>0.32 and later</td>
<td>qpidd can be crashed by unauthenticated user
- <a id="CVE_2015_0224_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <a id="CVE_2015_0224_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2015_0224_details">
<p>Description: In CVE-2015-0203 it was announced that
certain unexpected protocol sequences cause the broker
@@ -71,7 +71,7 @@
<td>0.30 and earlier</td>
<td>0.32 and later</td>
<td>anonymous access to qpidd cannot be prevented
- <a id="CVE_2015_0223_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <a id="CVE_2015_0223_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2015_0223_details">
<p>Description: An attacker can gain access to qpidd as an
anonymous user, even if the ANONYMOUS mechanism is
@@ -99,7 +99,7 @@
<td>0.30 and earlier</td>
<td>0.32 and later</td>
<td>qpidd can be crashed by authenticated user
- <a id="CVE_2015_0203_details_toggle" href="javascript:toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <a id="CVE_2015_0203_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2015_0203_details">
<p>Description: Certain unexpected protocol sequences cause
the broker process to crash due to insufficient
@@ -148,7 +148,7 @@
<td>0.30 and earlier</td>
<td>0.32 and later</td>
<td>qpidd can be induced to make http requests
- <a id="CVE_2014_3629_details_toggle" href="javascript:toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <a id="CVE_2014_3629_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2014_3629_details">
<p>Description: The XML exchange type is an optional,
dynamically loaded module for qpidd that allows creation of
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d1372781/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
index 8f3ad91..6ac1d92 100644
--- a/input/components/java-broker/security.md
+++ b/input/components/java-broker/security.md
@@ -38,7 +38,7 @@
<td>6.0.2 and earlier</td>
<td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
<td>
- Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2016_4432_details">
<p>Versions Affected: Qpid Java Broker versions 6.0.2 and
earlier</p>
@@ -76,7 +76,7 @@
<td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
<td>
Denial of Service.
- <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <a id="CVE_2016_3094_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
<div style="display:none;" id="CVE_2016_3094_details">
<p>Versions Affected: Qpid Java Broker versions 6.0.0,
6.0.1, and 6.0.2</p>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d1372781/input/deferred.js
----------------------------------------------------------------------
diff --git a/input/deferred.js b/input/deferred.js
index c7c324a..aac120c 100644
--- a/input/deferred.js
+++ b/input/deferred.js
@@ -420,6 +420,18 @@ function _modifyCurrentReleaseLinks() {
}
}
+function _toggleDiv(toggleInfo) {
+ var div = document.getElementById(toggleInfo.divId);
+ var control = document.getElementById(toggleInfo.controlId);
+ if (div.style.display !== "none") {
+ div.style.display = "none";
+ control.innerHTML = toggleInfo.showMore;
+ } else {
+ div.style.display = "block";
+ control.innerHTML = toggleInfo.showLess;
+ }
+}
+
_updateGlobalNavigation();
_addEventListener("-menu-link", "click", _toggleMenu);
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d1372781/input/site.js
----------------------------------------------------------------------
diff --git a/input/site.js b/input/site.js
index c4417ff..e69de29 100644
--- a/input/site.js
+++ b/input/site.js
@@ -1,11 +0,0 @@
-function toggleDiv(toggleInfo) {
- var div=document.getElementById(toggleInfo.divId);
- var control=document.getElementById(toggleInfo.controlId);
- if (div.style.display !== 'none') {
- div.style.display = 'none';
- control.innerHTML = toggleInfo.showMore;
- } else {
- div.style.display = 'block';
- control.innerHTML = toggleInfo.showLess;
- }
-}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[2/2] qpid-site git commit: Add Proton CVE and remove security pages
from components that have no CVEs as per Robbie's review comments
Posted by lq...@apache.org.
Add Proton CVE and remove security pages from components that have no CVEs as per Robbie's review comments
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/686c59e5
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/686c59e5
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/686c59e5
Branch: refs/heads/asf-site
Commit: 686c59e504d11380369bc4ad77d4958abe468242
Parents: d137278
Author: Lorenz Quack <lq...@apache.org>
Authored: Mon Jun 6 14:59:20 2016 +0100
Committer: Lorenz Quack <lq...@apache.org>
Committed: Mon Jun 6 14:59:20 2016 +0100
----------------------------------------------------------------------
input/proton/security.md | 55 ++++++++++++++++++++++++++++++++++++++++++-
input/security.md | 8 +++----
2 files changed, 58 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/686c59e5/input/proton/security.md
----------------------------------------------------------------------
diff --git a/input/proton/security.md b/input/proton/security.md
index 4f4179a..e18ffb6 100644
--- a/input/proton/security.md
+++ b/input/proton/security.md
@@ -23,6 +23,59 @@
## Proton
-TBD
+<table>
+ <thead>
+ <tr>
+ <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>CVE-2016-2166</td>
+ <td>Moderate</td>
+ <td>0.9 through 0.12.0 (inclusive)</td>
+ <td>0.12.1 and later</td>
+ <td>
+ Python bindings silently ignore request for amqps if SSL/TLS not supported. <a id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details', controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
+ <div style="display:none;" id="CVE_2016_2166_details">
+ <p>Versions Affected: Apache Qpid Proton python API starting
+ at 0.9 up to and including version 0.12.0.</p>
+ <p>Description: Messaging applications using the Proton
+ Python API to provision an SSL/TLS encrypted TCP connection
+ may actually instantiate a non-encrypted connection without
+ notice if SSL support is unavailable. This will result in
+ all messages being sent in the clear without the knowledge
+ of the user.<br/> This issue affects those applications
+ that use the Proton Reactor Python API to create SSL/TLS
+ connections. Specifically the proton.reactor.Connector,
+ proton.reactor.Container, and
+ proton.utils.BlockingConnection classes are vulnerable.
+ These classes can create an unencrypted connections if the
+ "amqps://" URL prefix is used.<br/> The issue only occurs
+ if the installed Proton libraries do not support SSL. This
+ would be the case if the libraries were built without SSL
+ support or the necessary SSL libraries are not present on
+ the system (e.g. OpenSSL in the case of *nix).<br/> To
+ check whether or not the Python API provides SSL support,
+ use the following console command:<br/>python -c "import
+ proton; print('%s' % 'SSL present' if proton.SSL.present()
+ else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can
+ only occur if both ends of the connection connect without
+ SSL. This would be the case if the vulnerability is active
+ on both ends of the connection, or the non-affected endpoint
+ allows cleartext connections.</p>
+ <p>Resolution: Proton release 0.12.1 resolves this issue by
+ raising an SSLUnavailable exception when SSL is not
+ available and a SSL/TLS connection is requested via the
+ "amqps://" URL
+ prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157">patch</a>
+ is also available.</p>
+ <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p>
+ <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+</table>
</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/686c59e5/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 26038f4..c2fa8f4 100644
--- a/input/security.md
+++ b/input/security.md
@@ -31,15 +31,15 @@ Qpid are available for each Component separately:
- [Java Broker]({{site_url}}/components/java-broker/security.html)
- [C++ Broker]({{site_url}}/components/cpp-broker/security.html)
- - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html)
+;; - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html)
</section>
<section markdown="1">
- [Proton]({{site_url}}/proton/security.html)
- - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html)
- - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html)
- - [Messaging API]({{site_url}}/components/messaging-api/security.html)
+;; - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html)
+;; - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html)
+;; - [Messaging API]({{site_url}}/components/messaging-api/security.html)
</section>
</div>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org