You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by jr...@apache.org on 2017/05/15 13:43:18 UTC
[1/3] qpid-site git commit: QPID-7756: Give each CVE its own page;
link to CVEs from component pages
Repository: qpid-site
Updated Branches:
refs/heads/asf-site d03960c7e -> 891f697bd
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/proton/security.md
----------------------------------------------------------------------
diff --git a/input/proton/security.md b/input/proton/security.md
index f708f56..e793119 100644
--- a/input/proton/security.md
+++ b/input/proton/security.md
@@ -19,120 +19,10 @@
# Security
-<section markdown="1">
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-4467]({{site_url}}/cves/CVE-2016-4467.html) | Medium | 0.8 through 0.13.0 inclusive | 0.13.1 and later | Failure to verify that the server host name matches the certificate host name on Windows |
+| [CVE-2016-2166]({{site_url}}/cves/CVE-2016-2166.html) | Moderate | 0.9 through 0.12.0 inclusive | 0.12.1 and later | Python bindings silently ignore request for amqps if SSL/TLS not supported |
-## Proton
-
-<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4467</td>
- <td>Medium</td>
- <td>0.8 through 0.13.0 (inclusive)</td>
- <td>0.13.1 and later</td>
- <td>Failure to verify that the server host name matches the certificate host name on Windows
- <a id="CVE_2016_4467_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4467_details', controlId:'CVE_2016_4467_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_4467_details">
-
- <p>Messaging applications using the Proton C library to
- provide SSL/TLS authentication on Windows can falsely
- authenticate a server whose name does not match the server
- name in the connection specifier. Proton C bindings are
- affected to a greater or lesser degree depending on how
- they use the underlying Proton C library.</p>
-
- <p>In Proton C, this can only happen if
- PN_SSL_VERIFY_PEER_NAME has been specified as the
- verification mode and pn_ssl_set_peer_hostname() has not
- been called at all or has been called with a NULL value for
- a particular pn_ssl_t object.</p>
-
- <p>In the Proton C++ binding, this will always happen unless
- the application has separately specified a virtual_host name
- for an SSL/TLS connection.</p>
-
- <p>In the Proton Python and Ruby bindings, this will only
- happen if the application has separately specified a NULL
- virtual_host name for an SSL/TLS connection after creating
- the connection but before the authentication step.</p>
-
- <p>This issue only occurs on Windows versions of Proton that
- use the default SChannel-based security layer.</p>
-
- <p>In any of the preceding cases, it is possible for a
- man-in-the-middle attacker to spoof an SSL/TLS server if
- they had a certificate that was valid for any of the
- application's Certificate Authorities.</p>
-
- <p>Resolution: Proton release 0.13.1 resolves this issue in
- the SChannel-based security layer by obtaining a default
- non-NULL peer hostname from the associated connection
- address when initialized and by always failing hostname
- verification if PN_SSL_VERIFY_PEER_NAME has been specified
- along with a NULL peer hostname. This resolution matches
- the associated behaviour of the OpenSSL-based security
- layer.</p>
-
- <p>References: <a
- href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a>
- and <a
- href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a>.</p>
- </div>
- </td>
- </tr>
- <tr>
- <td>CVE-2016-2166</td>
- <td>Moderate</td>
- <td>0.9 through 0.12.0 (inclusive)</td>
- <td>0.12.1 and later</td>
- <td>
- Python bindings silently ignore request for amqps if SSL/TLS not supported. <a id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details', controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_2166_details">
- <p>Versions Affected: Apache Qpid Proton python API starting
- at 0.9 up to and including version 0.12.0.</p>
- <p>Description: Messaging applications using the Proton
- Python API to provision an SSL/TLS encrypted TCP connection
- may actually instantiate a non-encrypted connection without
- notice if SSL support is unavailable. This will result in
- all messages being sent in the clear without the knowledge
- of the user.<br/> This issue affects those applications
- that use the Proton Reactor Python API to create SSL/TLS
- connections. Specifically the proton.reactor.Connector,
- proton.reactor.Container, and
- proton.utils.BlockingConnection classes are vulnerable.
- These classes can create an unencrypted connections if the
- "amqps://" URL prefix is used.<br/> The issue only occurs
- if the installed Proton libraries do not support SSL. This
- would be the case if the libraries were built without SSL
- support or the necessary SSL libraries are not present on
- the system (e.g. OpenSSL in the case of *nix).<br/> To
- check whether or not the Python API provides SSL support,
- use the following console command:<br/>python -c "import
- proton; print('%s' % 'SSL present' if proton.SSL.present()
- else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can
- only occur if both ends of the connection connect without
- SSL. This would be the case if the vulnerability is active
- on both ends of the connection, or the non-affected endpoint
- allows cleartext connections.</p>
- <p>Resolution: Proton release 0.12.1 resolves this issue by
- raising an SSLUnavailable exception when SSL is not
- available and a SSL/TLS connection is requested via the
- "amqps://" URL
- prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157">patch</a>
- is also available.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p>
- <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p>
- </div>
- </td>
- </tr>
- </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details for other components.
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 4361ac2..85eaa96 100644
--- a/input/security.md
+++ b/input/security.md
@@ -21,7 +21,7 @@
<section markdown="1">
-## Security Updates
+## Security updates
Details of security problems fixed in released versions of individual Apache
Qpid components are detailed at:
@@ -30,13 +30,12 @@ Qpid components are detailed at:
<section markdown="1">
- [Broker for Java]({{site_url}}/components/java-broker/security.html)
- - [C++ Broker]({{site_url}}/components/cpp-broker/security.html)
+ - [C++ broker]({{site_url}}/components/cpp-broker/security.html)
</section>
<section markdown="1">
- - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security.html)
- - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html)
+ - [JMS client]({{site_url}}/components/jms/security.html)
- [Proton]({{site_url}}/proton/security.html)
</section>
@@ -45,7 +44,7 @@ Qpid components are detailed at:
</section>
<section markdown="1">
-## Reporting New Security Problems with Apache Qpid
+## Reporting new security problems with Apache Qpid
We take a very active stance in eliminating security problems and
denial of service attacks against Apache Qpid.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[3/3] qpid-site git commit: QPID-7756: Give each CVE its own page;
link to CVEs from component pages
Posted by jr...@apache.org.
QPID-7756: Give each CVE its own page; link to CVEs from component pages
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/891f697b
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/891f697b
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/891f697b
Branch: refs/heads/asf-site
Commit: 891f697bdb58236cdbf79f7cee72c7bcb7dd925c
Parents: d03960c
Author: Justin Ross <jr...@apache.org>
Authored: Mon May 15 15:28:34 2017 +0200
Committer: Justin Ross <jr...@apache.org>
Committed: Mon May 15 15:28:34 2017 +0200
----------------------------------------------------------------------
content/components/cpp-broker/index.html | 1 +
content/components/cpp-broker/security.html | 208 +++++----------------
content/components/java-broker/index.html | 1 +
content/components/java-broker/security.html | 158 ++++------------
content/components/jms/amqp-0-x.html | 6 +
content/components/jms/index.html | 1 +
content/components/jms/security.html | 89 +++++----
content/cves/CVE-2014-3629.html | 197 ++++++++++++++++++++
content/cves/CVE-2015-0203.html | 208 +++++++++++++++++++++
content/cves/CVE-2015-0223.html | 187 +++++++++++++++++++
content/cves/CVE-2015-0224.html | 196 ++++++++++++++++++++
content/cves/CVE-2016-2166.html | 211 ++++++++++++++++++++++
content/cves/CVE-2016-3094.html | 199 ++++++++++++++++++++
content/cves/CVE-2016-4432.html | 196 ++++++++++++++++++++
content/cves/CVE-2016-4467.html | 207 +++++++++++++++++++++
content/cves/CVE-2016-4974.html | 196 ++++++++++++++++++++
content/cves/CVE-2016-8741.html | 191 ++++++++++++++++++++
content/cves/template.html | 167 +++++++++++++++++
content/proton/index.html | 1 +
content/proton/security.html | 141 +++------------
content/security.html | 9 +-
input/components/cpp-broker/index.md | 1 +
input/components/cpp-broker/security.md | 179 +-----------------
input/components/java-broker/index.md | 1 +
input/components/java-broker/security.md | 135 +-------------
input/components/jms/amqp-0-x.md | 4 +
input/components/jms/index.md | 1 +
input/components/jms/security-0-x.md | 72 --------
input/components/jms/security.md | 57 +-----
input/cves/CVE-2014-3629.md | 53 ++++++
input/cves/CVE-2015-0203.md | 64 +++++++
input/cves/CVE-2015-0223.md | 43 +++++
input/cves/CVE-2015-0224.md | 52 ++++++
input/cves/CVE-2016-2166.md | 66 +++++++
input/cves/CVE-2016-3094.md | 55 ++++++
input/cves/CVE-2016-4432.md | 52 ++++++
input/cves/CVE-2016-4467.md | 63 +++++++
input/cves/CVE-2016-4974.md | 52 ++++++
input/cves/CVE-2016-8741.md | 47 +++++
input/cves/template.md | 23 +++
input/proton/index.md | 1 +
input/proton/security.md | 122 +------------
input/security.md | 9 +-
43 files changed, 2929 insertions(+), 993 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/cpp-broker/index.html
----------------------------------------------------------------------
diff --git a/content/components/cpp-broker/index.html b/content/components/cpp-broker/index.html
index eba624b..6f7513b 100644
--- a/content/components/cpp-broker/index.html
+++ b/content/components/cpp-broker/index.html
@@ -197,6 +197,7 @@ that stores, routes, and forwards messages using AMQP.</p>
<h2 id="resources">Resources</h2>
<ul>
+<li><a href="security.html">Security</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp">Qpid extensions to AMQP</a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/cpp-broker/security.html
----------------------------------------------------------------------
diff --git a/content/components/cpp-broker/security.html b/content/components/cpp-broker/security.html
index 6b73d3d..a9071f0 100644
--- a/content/components/cpp-broker/security.html
+++ b/content/components/cpp-broker/security.html
@@ -116,176 +116,50 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<div id="-middle-content">
<h1 id="security">Security</h1>
-<section>
-
-<h2 id="c-broker">C++ Broker</h2>
-
<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2015-0224</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be crashed by unauthenticated user
- <a id="CVE_2015_0224_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0224_details">
- <p>Description: In CVE-2015-0203 it was announced that
- certain unexpected protocol sequences cause the broker
- process to crash due to insufficient checking, but that
- authentication could be used to restrict the exploitation
- of this vulnerability.<br/> It has now been discovered
- that in fact failing authentication does not necessarily
- prevent exploitation of those reported
- vulnerabilities.<br/> Further, it was stated that one of
- the specific vulnerabilities was that the qpidd broker can
- be crashed by sending it a sequence-set containing an
- invalid range, where the start of the range is after the
- end. This was an incorrect analysis of the vulnerability,
- which is in fact caused by a sequence-set containing a
- single range expressing the maximum possible gap.</p>
-
- <p>Solution: A further patch is available that handles a
- range expressing the maximum possible gap without assertion
- (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>). The
- fix will be included in subsequent releases, but can be
- applied to 0.30 if desired.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2015-0223</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>anonymous access to qpidd cannot be prevented
- <a id="CVE_2015_0223_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0223_details">
- <p>Description: An attacker can gain access to qpidd as an
- anonymous user, even if the ANONYMOUS mechanism is
- disallowed.</p>
-
- <p>Solution: A patch is available
- (<a href="https://issues.apache.org/jira/browse/QPID-6325">QPID-6325</a>)
- that addresses this vulnerability. The fix will be included
- in subsequent releases, but can be applied to 0.30 if
- desired.</p>
-
- <p>Common Vulnerability Score information: Authorization can
- be used to restrict access to broker entities such as queue
- and exchanges.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2015-0203</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be crashed by authenticated user
- <a id="CVE_2015_0203_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0203_details">
- <p>Description: Certain unexpected protocol sequences cause
- the broker process to crash due to insufficient
- checking. Three distinct cases were identified as follows:<br/>
- The AMQP 0-10 protocol defines a sequence set containing
- id ranges. The qpidd broker can be crashed by sending it a
- sequence-set containing an invalid range, where the start of
- the range is after the end. This condition causes an
- assertion, which causes the broker process to exit.<br/>
- The AMQP 0-10 protocol defines header- and body- segments
- that may follow certain commands. The only command for which
- such segments are expected by qpidd is the message-transfer
- command. If another command is sent that includes header
- and/or body segments, this will cause a segmentation fault
- in the broker process, causing it then to exit.<br/>
- The AMQP 0-10 protocol defines a session-gap control that
- can be sent on any established session. The qpidd broker
- does not support this control and responds with an
- appropriate error if requested on an established
- session. However, if the control is sent before the session
- is opened, the brokers handling causes an assertion which
- results in the broker process exiting.</p>
-
- <p>Solution: A patch is available
- (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>)
- that handles all these errors by sending an exception
- control to the remote peer and leave the broker available to
- all other users. The fix will be included in subsequent
- releases, but can be applied to 0.30 if desired.</p>
-
- <p>Common Vulnerability Score information: Authentication
- can be used to restrict access to the broker. However any
- authenticated user would be able to trigger this condition
- which could therefore be considered a form of denial of
- service.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2014-3629</td>
- <td>Low</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be induced to make http requests
- <a id="CVE_2014_3629_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2014_3629_details">
- <p>Description: The XML exchange type is an optional,
- dynamically loaded module for qpidd that allows creation of
- exchanges that route messages based on evaluating an xquery
- expression against them.<br/>On parsing a message sent to an
- XML exchange, whose body is XML containing a link to a DTD,
- the broker process will attempt to retrieve the referenced
- resource(s). I.e. the broker process may be induced to make
- outgoing HTTP connections by publishing a message containing
- links to an XML exchange.</p>
-
- <p>Solution:
- A <a href="https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch">patch</a>
- is available that prevents any retrieval of external
- entities referenced in the XML. This will be included in
- subsequent releases, but can be applied to 0.30 if
- desired.</p>
-
- <p>Common Vulnerability Score information: If the XML
- exchange functionality is not required, the module in
- question need not be loaded at all. This can be done either
- by moving the module - named xml.so - out of the module
- directory, or by setting the --no-module-dir option and
- adding an explicit --load-module argument for every required
- module.<br/>Where the XML exchange functionality is
- required, authorisation may be enabled to prevent all but
- trusted users from creating or publishing to xml
- exchanges.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
- </tbody>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2015-0224.html">CVE-2015-0224</a></td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>Qpidd can be crashed by an unauthenticated user</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2015-0223.html">CVE-2015-0223</a></td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>Anonymous access to qpidd cannot be prevented</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2015-0203.html">CVE-2015-0203</a></td>
+ <td>Moderate</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>Qpidd can be crashed by an authenticated user</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2014-3629.html">CVE-2014-3629</a></td>
+ <td>Low</td>
+ <td>0.30 and earlier</td>
+ <td>0.32 and later</td>
+ <td>Qpidd can be induced to make HTTP requests</td>
+</tr>
+</tbody>
</table>
-</section>
-
-<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p>
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/java-broker/index.html
----------------------------------------------------------------------
diff --git a/content/components/java-broker/index.html b/content/components/java-broker/index.html
index 5aa38fa..f9a8ea5 100644
--- a/content/components/java-broker/index.html
+++ b/content/components/java-broker/index.html
@@ -192,6 +192,7 @@ that stores, routes, and forwards messages using AMQP.</p>
<h2 id="resources">Resources</h2>
<ul>
+<li><a href="security.html">Security</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/qpid+java+faq">FAQ</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/java+broker+design">Design documents</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp">Qpid extensions to AMQP</a></li>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/java-broker/security.html
----------------------------------------------------------------------
diff --git a/content/components/java-broker/security.html b/content/components/java-broker/security.html
index 0c845d6..20706a5 100644
--- a/content/components/java-broker/security.html
+++ b/content/components/java-broker/security.html
@@ -116,133 +116,43 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<div id="-middle-content">
<h1 id="security">Security</h1>
-<section>
-
-<h2 id="broker-for-java">Broker for Java</h2>
-
<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4432</td>
- <td>Important</td>
- <td>6.0.2 and earlier</td>
- <td><a href="/releases/qpid-java-6.0.3/">6.0.3</a></td>
- <td>
- Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_4432_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.2 and
- earlier</p>
- <p>Description: The code responsible for handling incoming
- AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw
- that allows authentication to be bypassed. An remote
- attacker can exploit this vulnerability to perform actions,
- without the need to specify valid credentials. For
- instance, unauthorised messages could be injected or
- messages stolen.<br/>The vulnerability cannot be exploited
- if the Access Control List (ACL) feature is enabled AND
- access to all virtual hosts controlled.<br/>The
- vulnerability does not apply to the Broker's AMQP 1.0
- support.<br/>The vulnerability does not apply if the Broker
- is configured to require SSL client authentication for all
- messaging connections.</p>
- <p>Resolution: Users should upgrade the Apache Qpid Broker for Java to
- version 6.0.3 or later (recommended).</p>
- <p>Mitigation: If upgrading is not possible, the
- vulnerability can be mitigated using an ACL file containing
- "ACCESS VIRTUALHOST" clauses that white-lists user access to
- all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10
- support is not required, the vulnerability can also be
- mitigated by turning off these protocols at the Port
- level.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2016-3094</td>
- <td>Important</td>
- <td>6.0.0, 6.0.1, 6.0.2</td>
- <td><a href="/releases/qpid-java-6.0.3/">6.0.3</a></td>
- <td>
- Denial of Service.
- <a id="CVE_2016_3094_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_3094_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.0,
- 6.0.1, and 6.0.2</p>
- <p>Description: A malformed authentication attempt may cause
- the broker to terminate. The Apache Qpid Broker for Java supports a
- number of configurable authentication providers each
- supporting various SASL mechanisms. Some mechanisms need (or
- can be configured to accept) plain-text passwords being sent
- to the Broker (using the SASL "PLAIN" mechanism). Where the
- broker has been configured to allow plain-text passwords for
- authentication it is possible for a client to send a
- malformed authentication attempt which will lead the broker
- to terminate due to an uncaught Exception.<br/> Brokers
- configured to use authentication from the
- "PlainPasswordFile", "SimpleLDAP", or
- "Base64MD5PasswordFile" providers are vulnerable if the
- "PLAIN" mechanism is enabled (by default "PLAIN" will be
- disabled on non-TLS ports, but enabled on TLS
- connections).</p>
- <p>Mitigation: Users should upgrade their Apache Qpid Broker for Java
- to version 6.0.3 or later. If this is not possible, users
- can disable the PLAIN mechanism for their authentication
- manager on versions 0.32 and later by adding "PLAIN" to the
- list of disabledMechanisms on their authentication provider
- object.<br/>Note that the SimpleLDAP authentication provider
- requires PLAIN and so this work around does not apply
- there.</p>
- <p>Credit: This issue was discovered by Alex Szczuczko of
- Red Hat, Inc.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p>
- </div>
- </td>
- </tr>
- <tr>
- <td>CVE-2016-8741</td>
- <td>Moderate</td>
- <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
- <td><a href="/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="/releases/qpid-java-6.1.1/">6.1.1</a></td>
- <td>
- Information Leakage.
- <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-8741_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
- 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
- <p>Description: The Qpid Broker for Java can be configured to use different so
- called AuthenticationProviders to handle user authentication.<br/>
- Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
- AuthenticationProvider types.
-
- It was discovered that these AuthenticationProviders prematurely
- terminate the SCRAM SASL negotiation if the provided user name
- does not exist thus allowing remote attacker to determine the
- existence of user accounts.<br/>
-
- The Vulnerability does not apply to AuthenticationProviders other
- than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
- <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
- 6.1.1, or later (recommended).
- If upgrading is not possible, the vulnerability can be mitigated
- by using an AuthenticationProvider other than SCRAM-SHA-1 and
- SCRAM-SHA-256. </p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
- </div>
- </td>
- </tr>
- </tbody>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2016-3094.html">CVE-2016-3094</a></td>
+ <td>Important</td>
+ <td>6.0.0, 6.0.1, and 6.0.2</td>
+ <td>6.0.3</td>
+ <td>Denial of service</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2016-4432.html">CVE-2016-4432</a></td>
+ <td>Important</td>
+ <td>6.0.2 and earlier</td>
+ <td>6.0.3</td>
+ <td>Authentication bypass</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2016-8741.html">CVE-2016-8741</a></td>
+ <td>Moderate</td>
+ <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
+ <td>6.0.6, 6.1.1</td>
+ <td>Information leakage</td>
+</tr>
+</tbody>
</table>
-</section>
-
-<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p>
+<p>See the main <a href="/security.html">security</a> page for general
+information and details for other components.</p>
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/jms/amqp-0-x.html
----------------------------------------------------------------------
diff --git a/content/components/jms/amqp-0-x.html b/content/components/jms/amqp-0-x.html
index 4f5014f..4d5226f 100644
--- a/content/components/jms/amqp-0-x.html
+++ b/content/components/jms/amqp-0-x.html
@@ -165,6 +165,12 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<li><a href="https://git-wip-us.apache.org/repos/asf/qpid-jms-amqp-0-x.git">Git clone URL</a></li>
</ul>
+<h2 id="resources">Resources</h2>
+
+<ul>
+<li><a href="security.html">Security</a></li>
+</ul>
+
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/jms/index.html
----------------------------------------------------------------------
diff --git a/content/components/jms/index.html b/content/components/jms/index.html
index c501b61..c210d2f 100644
--- a/content/components/jms/index.html
+++ b/content/components/jms/index.html
@@ -186,6 +186,7 @@ API</li>
<h2 id="resources">Resources</h2>
<ul>
+<li><a href="security.html">Security</a></li>
<li><a href="amqp-0-x.html">AMQP 0-x JMS Client</a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/components/jms/security.html
----------------------------------------------------------------------
diff --git a/content/components/jms/security.html b/content/components/jms/security.html
index 86986f1..d52ca19 100644
--- a/content/components/jms/security.html
+++ b/content/components/jms/security.html
@@ -116,57 +116,54 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<div id="-middle-content">
<h1 id="security">Security</h1>
-<section>
-
-<h2 id="jms-client-amqp-10">JMS Client (AMQP 1.0)</h2>
+<h2 id="amqp-10-jms">AMQP 1.0 JMS</h2>
<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4974</td>
- <td>Moderate</td>
- <td>0.9.0 and earlier</td>
- <td>0.10.0 and later</a></td>
- <td>
- Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-4974_details">
- <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are
- subject to the behaviour of any object deserialization during the process
- of constructing the body to return. Unless the application has taken outside
- steps to limit the deserialization process, they can't protect against
- input that might try to make undesired use of classes available on the
- application classpath that might be vulnerable to exploitation.
- In order to exploit this vulnerability, an attacker would need
- to be able to inject a suitably crafted AMQP message containing the
- malicious JMS Object Message into the AMQP message network. For this,
- the attacker would require valid authentication credentials and
- suitable authorisation.</p>
-
- <p> Mitigation: Users using ObjectMessage can upgrade to
- Qpid JMS client 0.10.0 or later, and use the new
- configuration options to whitelist trusted content permitted for
- deserialization. When so configured, attempts to deserialize input
- containing other content will be prevented. Alternatively, users of older
- client releases may utilise other means such as agent-based approaches to help
- govern content permitted for deserialization in their application.</p>
-
- <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p>
-
- <p>References: <a href="https://issues.apache.org/jira/browse/QPIDJMS-188">QPIDJMS-188</a></p>
- </div>
- </td>
- </tr>
- </tbody>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2016-4974.html">CVE-2016-4974</a></td>
+ <td>Moderate</td>
+ <td>0.9.0 and earlier</td>
+ <td>0.10.0 and later</td>
+ <td>Deserialization of untrusted input while using JMS ObjectMessage</td>
+</tr>
+</tbody>
</table>
-</section>
+<h2 id="amqp-0-x-jms-amqp-0-8-0-9-0-9-1-0-10">AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)</h2>
+
+<table>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2016-4974.html">CVE-2016-4974</a></td>
+ <td>Moderate</td>
+ <td>0.9.0 and earlier</td>
+ <td>0.10.0 and later</td>
+ <td>Deserialization of untrusted input while using JMS ObjectMessage</td>
+</tr>
+</tbody>
+</table>
-<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p>
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2014-3629.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2014-3629.html b/content/cves/CVE-2014-3629.html
new file mode 100644
index 0000000..761953e
--- /dev/null
+++ b/content/cves/CVE-2014-3629.html
@@ -0,0 +1,197 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2014-3629 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2014-3629</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2014-3629">CVE-2014-3629</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Low</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid C++ broker</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.30 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.32 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Qpidd can be induced to make http requests.</p>
+
+<p>The XML exchange type is an optional, dynamically loaded module for
+qpidd that allows creation of exchanges that route messages based on
+evaluating an xquery expression against them.</p>
+
+<p>On parsing a message sent to an XML exchange, whose body is XML
+containing a link to a DTD, the broker process will attempt to
+retrieve the referenced resource(s). I.e. the broker process may be
+induced to make outgoing HTTP connections by publishing a message
+containing links to an XML exchange.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>A patch is available that prevents any retrieval of external entities
+referenced in the XML. This will be included in subsequent releases,
+but can be applied to 0.30 if desired.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If the XML exchange functionality is not required, the module in
+question need not be loaded at all. This can be done either by moving
+the module - named xml.so - out of the module directory, or by setting
+the --no-module-dir option and adding an explicit --load-module
+argument for every required module.</p>
+
+<p>Where the XML exchange functionality is required, authorisation may be
+enabled to prevent all but trusted users from creating or publishing
+to xml exchanges.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by G. Geshev from MWR Labs.</p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2015-0203.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2015-0203.html b/content/cves/CVE-2015-0203.html
new file mode 100644
index 0000000..5b7d096
--- /dev/null
+++ b/content/cves/CVE-2015-0203.html
@@ -0,0 +1,208 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2015-0203 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2015-0203</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2015-0203">CVE-2015-0203</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid C++ broker</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.30 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.32 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Qpidd can be crashed by an authenticated user.</p>
+
+<p>Certain unexpected protocol sequences cause the broker process to
+crash due to insufficient checking. Three distinct cases were
+identified as follows:</p>
+
+<ul>
+<li><p>The AMQP 0-10 protocol defines a sequence set containing id
+ranges. The qpidd broker can be crashed by sending it a
+sequence-set containing an invalid range, where the start of the
+range is after the end. This condition causes an assertion, which
+causes the broker process to exit.</p></li>
+<li><p>The AMQP 0-10 protocol defines header- and body- segments that may
+follow certain commands. The only command for which such segments
+are expected by qpidd is the message-transfer command. If another
+command is sent that includes header and/or body segments, this
+will cause a segmentation fault in the broker process, causing it
+then to exit.</p></li>
+<li><p>The AMQP 0-10 protocol defines a session-gap control that can be
+sent on any established session. The qpidd broker does not support
+this control and responds with an appropriate error if requested on
+an established session. However, if the control is sent before the
+session is opened, the brokers handling causes an assertion which
+results in the broker process exiting.</p></li>
+</ul>
+
+<p>Authentication can be used to restrict access to the broker. However
+any authenticated user would be able to trigger this condition which
+could therefore be considered a form of denial of service.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>A patch is available (QPID-6310) that handles all these errors by
+sending an exception control to the remote peer and leave the broker
+available to all other users. The fix will be included in subsequent
+releases, but can be applied to 0.30 if desired.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by G. Geshev from MWR Labs.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2015-0223.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2015-0223.html b/content/cves/CVE-2015-0223.html
new file mode 100644
index 0000000..86b4f1b
--- /dev/null
+++ b/content/cves/CVE-2015-0223.html
@@ -0,0 +1,187 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2015-0233 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2015-0233</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2015-0233">CVE-2015-0233</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid C++ broker</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.30 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.32 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Anonymous access to qpidd cannot be prevented.</p>
+
+<p>An attacker can gain access to qpidd as an anonymous user, even if the
+ANONYMOUS mechanism is disallowed.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>A patch is available (QPID-6325) that addresses this
+vulnerability. The fix will be included in subsequent releases, but
+can be applied to 0.30 if desired.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>Authorization can be used to restrict access to broker entities such
+as queue and exchanges.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by G. Geshev from MWR Labs.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-6325">QPID-6325</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2015-0224.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2015-0224.html b/content/cves/CVE-2015-0224.html
new file mode 100644
index 0000000..26d1a84
--- /dev/null
+++ b/content/cves/CVE-2015-0224.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2015-0224 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2015-0224</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2015-0224">CVE-2015-0224</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid C++ broker</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.30 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.32 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Qpidd can be crashed by unauthenticated user.</p>
+
+<p>In CVE-2015-0203 it was announced that certain unexpected protocol
+sequences cause the broker process to crash due to insufficient
+checking, but that authentication could be used to restrict the
+exploitation of this vulnerability.</p>
+
+<p>It has now been discovered that in fact failing authentication does
+not necessarily prevent exploitation of those reported
+vulnerabilities.</p>
+
+<p>Further, it was stated that one of the specific vulnerabilities was
+that the qpidd broker can be crashed by sending it a sequence-set
+containing an invalid range, where the start of the range is after the
+end. This was an incorrect analysis of the vulnerability, which is in
+fact caused by a sequence-set containing a single range expressing the
+maximum possible gap.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>A further patch is available that handles a range expressing the
+maximum possible gap without assertion (QPID-6310). The fix will be
+included in subsequent releases, but can be applied to 0.30 if
+desired.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by G. Geshev from MWR Labs.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-2166.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-2166.html b/content/cves/CVE-2016-2166.html
new file mode 100644
index 0000000..c00eafa
--- /dev/null
+++ b/content/cves/CVE-2016-2166.html
@@ -0,0 +1,211 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-2166 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-2166</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-2166">CVE-2016-2166</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Proton</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.9 through 0.12.0 inclusive</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.12.1 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Python bindings silently ignore request for amqps if SSL/TLS not
+supported.</p>
+
+<p>Messaging applications using the Proton Python API to provision an
+SSL/TLS encrypted TCP connection may actually instantiate a
+non-encrypted connection without notice if SSL support is
+unavailable. This will result in all messages being sent in the clear
+without the knowledge of the user.</p>
+
+<p>This issue affects those applications that use the Proton Reactor
+Python API to create SSL/TLS connections. Specifically the
+proton.reactor.Connector, proton.reactor.Container, and
+proton.utils.BlockingConnection classes are vulnerable. These classes
+can create an unencrypted connections if the "amqps://" URL prefix is
+used.</p>
+
+<p>The issue only occurs if the installed Proton libraries do not support
+SSL. This would be the case if the libraries were built without SSL
+support or the necessary SSL libraries are not present on the system
+(e.g. OpenSSL in the case of *nix).</p>
+
+<p>To check whether or not the Python API provides SSL support, use the
+following console command:</p>
+
+<pre><code>python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')"
+</code></pre>
+
+<p>In addition, the issue can only occur if both ends of the connection
+connect without SSL. This would be the case if the vulnerability is
+active on both ends of the connection, or the non-affected endpoint
+allows cleartext connections.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Proton release 0.12.1 resolves this issue by raising an SSLUnavailable
+exception when SSL is not available and a SSL/TLS connection is
+requested via the "amqps://" URL prefix.</p>
+
+<p>A patch is also available.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by M. Farrellee from Red Hat.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-3094.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-3094.html b/content/cves/CVE-2016-3094.html
new file mode 100644
index 0000000..9648dcd
--- /dev/null
+++ b/content/cves/CVE-2016-3094.html
@@ -0,0 +1,199 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-3094 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-3094</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-3094">CVE-2016-3094</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Broker for Java</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.0.0, 6.0.1, and 6.0.2</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-java-6.0.3/index.html">6.0.3</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>Denial of Service.</p>
+
+<p>A malformed authentication attempt may cause the broker to terminate.
+The Apache Qpid Broker for Java supports a number of configurable
+authentication providers each supporting various SASL mechanisms. Some
+mechanisms need (or can be configured to accept) plain-text passwords
+being sent to the Broker (using the SASL "PLAIN" mechanism). Where
+the broker has been configured to allow plain-text passwords for
+authentication it is possible for a client to send a malformed
+authentication attempt which will lead the broker to terminate due to
+an uncaught Exception.</p>
+
+<p>Brokers configured to use authentication from the "PlainPasswordFile",
+"SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if
+the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled
+on non-TLS ports, but enabled on TLS connections).</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>Users should upgrade their Apache Qpid Broker for Java to
+version 6.0.3 or later. If this is not possible, users can disable
+the PLAIN mechanism for their authentication manager on versions 0.32
+and later by adding "PLAIN" to the list of disabledMechanisms on their
+authentication provider object.</p>
+
+<p>Note that the SimpleLDAP authentication provider requires PLAIN and so
+this work around does not apply there.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4432.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-4432.html b/content/cves/CVE-2016-4432.html
new file mode 100644
index 0000000..7e19dfe
--- /dev/null
+++ b/content/cves/CVE-2016-4432.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-4432 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4432</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-4432">CVE-2016-4432</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker for Java</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.0.2 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-java-6.0.3/index.html">6.0.3</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and
+0-10 connections contains a flaw that allows authentication to be
+bypassed. An remote attacker can exploit this vulnerability to
+perform actions, without the need to specify valid credentials. For
+instance, unauthorised messages could be injected or messages stolen.</p>
+
+<p>The vulnerability cannot be exploited if the Access Control List (ACL)
+feature is enabled AND access to all virtual hosts controlled.</p>
+
+<p>The vulnerability does not apply to the Broker's AMQP 1.0 support.</p>
+
+<p>The vulnerability does not apply if the Broker is configured to
+require SSL client authentication for all messaging connections.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Users should upgrade the Apache Qpid Broker for Java to
+version 6.0.3 or later (recommended).</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrading is not possible, the vulnerability can be mitigated using
+an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists
+user access to all virtualhosts.</p>
+
+<p>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the
+vulnerability can also be mitigated by turning off these protocols at
+the Port level.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[2/3] qpid-site git commit: QPID-7756: Give each CVE its own page;
link to CVEs from component pages
Posted by jr...@apache.org.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4467.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-4467.html b/content/cves/CVE-2016-4467.html
new file mode 100644
index 0000000..48a6dc4
--- /dev/null
+++ b/content/cves/CVE-2016-4467.html
@@ -0,0 +1,207 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-4467 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4467</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-4467">CVE-2016-4467</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Medium</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Proton</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.8 through 0.13.0 inclusive</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.13.1 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Failure to verify that the server host name matches the certificate
+host name on Windows.</p>
+
+<p>Messaging applications using the Proton C library to provide SSL/TLS
+authentication on Windows can falsely authenticate a server whose name
+does not match the server name in the connection specifier. Proton C
+bindings are affected to a greater or lesser degree depending on how
+they use the underlying Proton C library.</p>
+
+<p>In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been
+specified as the verification mode and pn_ssl_set_peer_hostname() has
+not been called at all or has been called with a NULL value for a
+particular pn_ssl_t object.</p>
+
+<p>In the Proton C++ binding, this will always happen unless the
+application has separately specified a virtual_host name for an
+SSL/TLS connection.</p>
+
+<p>In the Proton Python and Ruby bindings, this will only happen if the
+application has separately specified a NULL virtual_host name for an
+SSL/TLS connection after creating the connection but before the
+authentication step.</p>
+
+<p>This issue only occurs on Windows versions of Proton that use the
+default SChannel-based security layer.</p>
+
+<p>In any of the preceding cases, it is possible for a man-in-the-middle
+attacker to spoof an SSL/TLS server if they had a certificate that was
+valid for any of the application's Certificate Authorities.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Proton release 0.13.1 resolves this issue in the SChannel-based
+security layer by obtaining a default non-NULL peer hostname from the
+associated connection address when initialized and by always failing
+hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified
+along with a NULL peer hostname. This resolution matches the
+associated behaviour of the OpenSSL-based security layer.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a> and
+<a href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-4974.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-4974.html b/content/cves/CVE-2016-4974.html
new file mode 100644
index 0000000..0f13648
--- /dev/null
+++ b/content/cves/CVE-2016-4974.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-4974 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4974</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-4974">CVE-2016-4974</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid JMS</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.9.0 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.10.0 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Deserialization of untrusted input while using JMS ObjectMessage.</p>
+
+<p>When applications call getObject() on a consumed JMS ObjectMessage
+they are subject to the behaviour of any object deserialization during
+the process of constructing the body to return. Unless the application
+has taken outside steps to limit the deserialization process, they
+can't protect against input that might try to make undesired use of
+classes available on the application classpath that might be
+vulnerable to exploitation. In order to exploit this vulnerability, an
+attacker would need to be able to inject a suitably crafted AMQP
+message containing the malicious JMS Object Message into the AMQP
+message network. For this, the attacker would require valid
+authentication credentials and suitable authorisation.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or
+later, and use the new configuration options to whitelist trusted
+content permitted for deserialization. When so configured, attempts to
+deserialize input containing other content will be
+prevented. Alternatively, users of older client releases may utilise
+other means such as agent-based approaches to help govern content
+permitted for deserialization in their application.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by Matthias Kaiser of Code White
+(www.code-white.com).</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPIDJMS-188">QPIDJMS-188</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/CVE-2016-8741.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-8741.html b/content/cves/CVE-2016-8741.html
new file mode 100644
index 0000000..6835235
--- /dev/null
+++ b/content/cves/CVE-2016-8741.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-8741 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-8741</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-8741">CVE-2016-8741</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker for Java</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-java-6.0.6/index.html">6.0.6</a>, <a href="/releases/qpid-java-6.1.1/index.html">6.1.1</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>Information Leakage.</p>
+
+<p>The Qpid Broker for Java can be configured to use different so called
+AuthenticationProviders to handle user authentication. Among the
+choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider
+types.</p>
+
+<p>It was discovered that these AuthenticationProviders prematurely
+terminate the SCRAM SASL negotiation if the provided user name does
+not exist thus allowing remote attacker to determine the existence of
+user accounts.</p>
+
+<p>The Vulnerability does not apply to AuthenticationProviders other than
+SCRAM-SHA-1 and SCRAM-SHA-256.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>Users should upgrade the Qpid Broker for Java to version 6.0.6,
+6.1.1, or later (recommended).</p>
+
+<p>If upgrading is not possible, the vulnerability can be mitigated by
+using an AuthenticationProvider other than SCRAM-SHA-1 and
+SCRAM-SHA-256.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/cves/template.html
----------------------------------------------------------------------
diff --git a/content/cves/template.html b/content/cves/template.html
new file mode 100644
index 0000000..31e5664
--- /dev/null
+++ b/content/cves/template.html
@@ -0,0 +1,167 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-YYYY-NNNN - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-YYYY-NNNN</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-yyyy-nnnn">CVE-YYYY-NNNN</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important
+Moderate
+Low</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<h2 id="description">Description</h2>
+
+<h2 id="resolution">Resolution</h2>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<h2 id="credit">Credit</h2>
+
+<h2 id="references">References</h2>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/index.html
----------------------------------------------------------------------
diff --git a/content/proton/index.html b/content/proton/index.html
index 2513ad4..23d001b 100644
--- a/content/proton/index.html
+++ b/content/proton/index.html
@@ -202,6 +202,7 @@ platform, environment, or language. More about
<h2 id="resources">Resources</h2>
<ul>
+<li><a href="security.html">Security</a></li>
<li><a href="submitting-patches.html">Contributing to Proton</a></li>
<li><a href="messenger.html">Proton Messenger</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/proton">Proton wiki pages</a></li>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/proton/security.html
----------------------------------------------------------------------
diff --git a/content/proton/security.html b/content/proton/security.html
index 3a5114d..57adb61 100644
--- a/content/proton/security.html
+++ b/content/proton/security.html
@@ -116,123 +116,36 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<div id="-middle-content">
<h1 id="security">Security</h1>
-<section>
-
-<h2 id="proton">Proton</h2>
-
<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4467</td>
- <td>Medium</td>
- <td>0.8 through 0.13.0 (inclusive)</td>
- <td>0.13.1 and later</td>
- <td>Failure to verify that the server host name matches the certificate host name on Windows
- <a id="CVE_2016_4467_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4467_details', controlId:'CVE_2016_4467_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_4467_details">
-
- <p>Messaging applications using the Proton C library to
- provide SSL/TLS authentication on Windows can falsely
- authenticate a server whose name does not match the server
- name in the connection specifier. Proton C bindings are
- affected to a greater or lesser degree depending on how
- they use the underlying Proton C library.</p>
-
- <p>In Proton C, this can only happen if
- PN_SSL_VERIFY_PEER_NAME has been specified as the
- verification mode and pn_ssl_set_peer_hostname() has not
- been called at all or has been called with a NULL value for
- a particular pn_ssl_t object.</p>
-
- <p>In the Proton C++ binding, this will always happen unless
- the application has separately specified a virtual_host name
- for an SSL/TLS connection.</p>
-
- <p>In the Proton Python and Ruby bindings, this will only
- happen if the application has separately specified a NULL
- virtual_host name for an SSL/TLS connection after creating
- the connection but before the authentication step.</p>
-
- <p>This issue only occurs on Windows versions of Proton that
- use the default SChannel-based security layer.</p>
-
- <p>In any of the preceding cases, it is possible for a
- man-in-the-middle attacker to spoof an SSL/TLS server if
- they had a certificate that was valid for any of the
- application's Certificate Authorities.</p>
-
- <p>Resolution: Proton release 0.13.1 resolves this issue in
- the SChannel-based security layer by obtaining a default
- non-NULL peer hostname from the associated connection
- address when initialized and by always failing hostname
- verification if PN_SSL_VERIFY_PEER_NAME has been specified
- along with a NULL peer hostname. This resolution matches
- the associated behaviour of the OpenSSL-based security
- layer.</p>
-
- <p>References: <a
- href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a>
- and <a
- href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a>.</p>
- </div>
- </td>
- </tr>
- <tr>
- <td>CVE-2016-2166</td>
- <td>Moderate</td>
- <td>0.9 through 0.12.0 (inclusive)</td>
- <td>0.12.1 and later</td>
- <td>
- Python bindings silently ignore request for amqps if SSL/TLS not supported. <a id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details', controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_2166_details">
- <p>Versions Affected: Apache Qpid Proton python API starting
- at 0.9 up to and including version 0.12.0.</p>
- <p>Description: Messaging applications using the Proton
- Python API to provision an SSL/TLS encrypted TCP connection
- may actually instantiate a non-encrypted connection without
- notice if SSL support is unavailable. This will result in
- all messages being sent in the clear without the knowledge
- of the user.<br/> This issue affects those applications
- that use the Proton Reactor Python API to create SSL/TLS
- connections. Specifically the proton.reactor.Connector,
- proton.reactor.Container, and
- proton.utils.BlockingConnection classes are vulnerable.
- These classes can create an unencrypted connections if the
- "amqps://" URL prefix is used.<br/> The issue only occurs
- if the installed Proton libraries do not support SSL. This
- would be the case if the libraries were built without SSL
- support or the necessary SSL libraries are not present on
- the system (e.g. OpenSSL in the case of *nix).<br/> To
- check whether or not the Python API provides SSL support,
- use the following console command:<br/>python -c "import
- proton; print('%s' % 'SSL present' if proton.SSL.present()
- else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can
- only occur if both ends of the connection connect without
- SSL. This would be the case if the vulnerability is active
- on both ends of the connection, or the non-affected endpoint
- allows cleartext connections.</p>
- <p>Resolution: Proton release 0.12.1 resolves this issue by
- raising an SSLUnavailable exception when SSL is not
- available and a SSL/TLS connection is requested via the
- "amqps://" URL
- prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157">patch</a>
- is also available.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p>
- <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p>
- </div>
- </td>
- </tr>
- </tbody>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2016-4467.html">CVE-2016-4467</a></td>
+ <td>Medium</td>
+ <td>0.8 through 0.13.0 inclusive</td>
+ <td>0.13.1 and later</td>
+ <td>Failure to verify that the server host name matches the certificate host name on Windows</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2016-2166.html">CVE-2016-2166</a></td>
+ <td>Moderate</td>
+ <td>0.9 through 0.12.0 inclusive</td>
+ <td>0.12.1 and later</td>
+ <td>Python bindings silently ignore request for amqps if SSL/TLS not supported</td>
+</tr>
+</tbody>
</table>
-</section>
-
-<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p>
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/content/security.html
----------------------------------------------------------------------
diff --git a/content/security.html b/content/security.html
index e25e041..52e7661 100644
--- a/content/security.html
+++ b/content/security.html
@@ -118,7 +118,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<section>
-<h2 id="security-updates">Security Updates</h2>
+<h2 id="security-updates">Security updates</h2>
<p>Details of security problems fixed in released versions of individual Apache
Qpid components are detailed at:</p>
@@ -129,7 +129,7 @@ Qpid components are detailed at:</p>
<ul>
<li><a href="/components/java-broker/security.html">Broker for Java</a></li>
-<li><a href="/components/cpp-broker/security.html">C++ Broker</a></li>
+<li><a href="/components/cpp-broker/security.html">C++ broker</a></li>
</ul>
</section>
@@ -137,8 +137,7 @@ Qpid components are detailed at:</p>
<section>
<ul>
-<li><a href="/components/jms/security.html">JMS Client (AMQP 1.0)</a></li>
-<li><a href="/components/jms/security-0-x.html">JMS Client (AMQP 0.x)</a></li>
+<li><a href="/components/jms/security.html">JMS client</a></li>
<li><a href="/proton/security.html">Proton</a></li>
</ul>
@@ -150,7 +149,7 @@ Qpid components are detailed at:</p>
<section>
-<h2 id="reporting-new-security-problems-with-apache-qpid">Reporting New Security Problems with Apache Qpid</h2>
+<h2 id="reporting-new-security-problems-with-apache-qpid">Reporting new security problems with Apache Qpid</h2>
<p>We take a very active stance in eliminating security problems and
denial of service attacks against Apache Qpid.</p>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/cpp-broker/index.md
----------------------------------------------------------------------
diff --git a/input/components/cpp-broker/index.md b/input/components/cpp-broker/index.md
index c0bbd7d..78bab7d 100644
--- a/input/components/cpp-broker/index.md
+++ b/input/components/cpp-broker/index.md
@@ -90,6 +90,7 @@ that stores, routes, and forwards messages using AMQP.
## Resources
+ - [Security](security.html)
- [Qpid extensions to AMQP](https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp)
</div>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/cpp-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md
index c705fb5..cfa9d3b 100644
--- a/input/components/cpp-broker/security.md
+++ b/input/components/cpp-broker/security.md
@@ -19,173 +19,12 @@
# Security
-<section markdown="1">
-
-## C++ Broker
-
-<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2015-0224</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be crashed by unauthenticated user
- <a id="CVE_2015_0224_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0224_details', controlId:'CVE_2015_0224_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0224_details">
- <p>Description: In CVE-2015-0203 it was announced that
- certain unexpected protocol sequences cause the broker
- process to crash due to insufficient checking, but that
- authentication could be used to restrict the exploitation
- of this vulnerability.<br/> It has now been discovered
- that in fact failing authentication does not necessarily
- prevent exploitation of those reported
- vulnerabilities.<br/> Further, it was stated that one of
- the specific vulnerabilities was that the qpidd broker can
- be crashed by sending it a sequence-set containing an
- invalid range, where the start of the range is after the
- end. This was an incorrect analysis of the vulnerability,
- which is in fact caused by a sequence-set containing a
- single range expressing the maximum possible gap.</p>
-
- <p>Solution: A further patch is available that handles a
- range expressing the maximum possible gap without assertion
- (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>). The
- fix will be included in subsequent releases, but can be
- applied to 0.30 if desired.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2015-0223</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>anonymous access to qpidd cannot be prevented
- <a id="CVE_2015_0223_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0223_details', controlId:'CVE_2015_0223_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0223_details">
- <p>Description: An attacker can gain access to qpidd as an
- anonymous user, even if the ANONYMOUS mechanism is
- disallowed.</p>
-
- <p>Solution: A patch is available
- (<a href="https://issues.apache.org/jira/browse/QPID-6325">QPID-6325</a>)
- that addresses this vulnerability. The fix will be included
- in subsequent releases, but can be applied to 0.30 if
- desired.</p>
-
- <p>Common Vulnerability Score information: Authorization can
- be used to restrict access to broker entities such as queue
- and exchanges.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2015-0203</td>
- <td>Moderate</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be crashed by authenticated user
- <a id="CVE_2015_0203_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2015_0203_details', controlId:'CVE_2015_0203_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2015_0203_details">
- <p>Description: Certain unexpected protocol sequences cause
- the broker process to crash due to insufficient
- checking. Three distinct cases were identified as follows:<br/>
- The AMQP 0-10 protocol defines a sequence set containing
- id ranges. The qpidd broker can be crashed by sending it a
- sequence-set containing an invalid range, where the start of
- the range is after the end. This condition causes an
- assertion, which causes the broker process to exit.<br/>
- The AMQP 0-10 protocol defines header- and body- segments
- that may follow certain commands. The only command for which
- such segments are expected by qpidd is the message-transfer
- command. If another command is sent that includes header
- and/or body segments, this will cause a segmentation fault
- in the broker process, causing it then to exit.<br/>
- The AMQP 0-10 protocol defines a session-gap control that
- can be sent on any established session. The qpidd broker
- does not support this control and responds with an
- appropriate error if requested on an established
- session. However, if the control is sent before the session
- is opened, the brokers handling causes an assertion which
- results in the broker process exiting.</p>
-
- <p>Solution: A patch is available
- (<a href="https://issues.apache.org/jira/browse/QPID-6310">QPID-6310</a>)
- that handles all these errors by sending an exception
- control to the remote peer and leave the broker available to
- all other users. The fix will be included in subsequent
- releases, but can be applied to 0.30 if desired.</p>
-
- <p>Common Vulnerability Score information: Authentication
- can be used to restrict access to the broker. However any
- authenticated user would be able to trigger this condition
- which could therefore be considered a form of denial of
- service.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2014-3629</td>
- <td>Low</td>
- <td>0.30 and earlier</td>
- <td>0.32 and later</td>
- <td>qpidd can be induced to make http requests
- <a id="CVE_2014_3629_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2014_3629_details', controlId:'CVE_2014_3629_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2014_3629_details">
- <p>Description: The XML exchange type is an optional,
- dynamically loaded module for qpidd that allows creation of
- exchanges that route messages based on evaluating an xquery
- expression against them.<br/>On parsing a message sent to an
- XML exchange, whose body is XML containing a link to a DTD,
- the broker process will attempt to retrieve the referenced
- resource(s). I.e. the broker process may be induced to make
- outgoing HTTP connections by publishing a message containing
- links to an XML exchange.</p>
-
- <p>Solution:
- A <a href="https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch">patch</a>
- is available that prevents any retrieval of external
- entities referenced in the XML. This will be included in
- subsequent releases, but can be applied to 0.30 if
- desired.</p>
-
- <p>Common Vulnerability Score information: If the XML
- exchange functionality is not required, the module in
- question need not be loaded at all. This can be done either
- by moving the module - named xml.so - out of the module
- directory, or by setting the --no-module-dir option and
- adding an explicit --load-module argument for every required
- module.<br/>Where the XML exchange functionality is
- required, authorisation may be enabled to prevent all but
- trusted users from creating or publishing to xml
- exchanges.</p>
-
- <p>Credit: This issue was discovered by G. Geshev from MWR
- Labs</p>
- </div>
- </td>
- </tr>
- </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details for other components.
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2015-0224]({{site_url}}/cves/CVE-2015-0224.html) | Moderate | 0.30 and earlier | 0.32 and later | Qpidd can be crashed by an unauthenticated user |
+| [CVE-2015-0223]({{site_url}}/cves/CVE-2015-0223.html) | Moderate | 0.30 and earlier | 0.32 and later | Anonymous access to qpidd cannot be prevented |
+| [CVE-2015-0203]({{site_url}}/cves/CVE-2015-0203.html) | Moderate | 0.30 and earlier | 0.32 and later | Qpidd can be crashed by an authenticated user |
+| [CVE-2014-3629]({{site_url}}/cves/CVE-2014-3629.html) | Low | 0.30 and earlier | 0.32 and later | Qpidd can be induced to make HTTP requests |
+
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/java-broker/index.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/index.md b/input/components/java-broker/index.md
index 53447cc..5ad92ae 100644
--- a/input/components/java-broker/index.md
+++ b/input/components/java-broker/index.md
@@ -86,6 +86,7 @@ that stores, routes, and forwards messages using AMQP.
## Resources
+ - [Security](security.html)
- [FAQ](https://cwiki.apache.org/confluence/display/qpid/qpid+java+faq)
- [Design documents](https://cwiki.apache.org/confluence/display/qpid/java+broker+design)
- [Qpid extensions to AMQP](https://cwiki.apache.org/confluence/display/qpid/qpid+extensions+to+amqp)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/java-broker/security.md
----------------------------------------------------------------------
diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md
index 776e4db..e34759b 100644
--- a/input/components/java-broker/security.md
+++ b/input/components/java-broker/security.md
@@ -19,130 +19,11 @@
# Security
-<section markdown="1">
-
-## Broker for Java
-
-<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4432</td>
- <td>Important</td>
- <td>6.0.2 and earlier</td>
- <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
- <td>
- Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_4432_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.2 and
- earlier</p>
- <p>Description: The code responsible for handling incoming
- AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw
- that allows authentication to be bypassed. An remote
- attacker can exploit this vulnerability to perform actions,
- without the need to specify valid credentials. For
- instance, unauthorised messages could be injected or
- messages stolen.<br/>The vulnerability cannot be exploited
- if the Access Control List (ACL) feature is enabled AND
- access to all virtual hosts controlled.<br/>The
- vulnerability does not apply to the Broker's AMQP 1.0
- support.<br/>The vulnerability does not apply if the Broker
- is configured to require SSL client authentication for all
- messaging connections.</p>
- <p>Resolution: Users should upgrade the Apache Qpid Broker for Java to
- version 6.0.3 or later (recommended).</p>
- <p>Mitigation: If upgrading is not possible, the
- vulnerability can be mitigated using an ACL file containing
- "ACCESS VIRTUALHOST" clauses that white-lists user access to
- all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10
- support is not required, the vulnerability can also be
- mitigated by turning off these protocols at the Port
- level.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257">QPID-7257</a></p>
- </div>
- </td>
- </tr>
-
- <tr>
- <td>CVE-2016-3094</td>
- <td>Important</td>
- <td>6.0.0, 6.0.1, 6.0.2</td>
- <td><a href="{{site_url}}/releases/qpid-java-6.0.3/">6.0.3</a></td>
- <td>
- Denial of Service.
- <a id="CVE_2016_3094_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE_2016_3094_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.0,
- 6.0.1, and 6.0.2</p>
- <p>Description: A malformed authentication attempt may cause
- the broker to terminate. The Apache Qpid Broker for Java supports a
- number of configurable authentication providers each
- supporting various SASL mechanisms. Some mechanisms need (or
- can be configured to accept) plain-text passwords being sent
- to the Broker (using the SASL "PLAIN" mechanism). Where the
- broker has been configured to allow plain-text passwords for
- authentication it is possible for a client to send a
- malformed authentication attempt which will lead the broker
- to terminate due to an uncaught Exception.<br/> Brokers
- configured to use authentication from the
- "PlainPasswordFile", "SimpleLDAP", or
- "Base64MD5PasswordFile" providers are vulnerable if the
- "PLAIN" mechanism is enabled (by default "PLAIN" will be
- disabled on non-TLS ports, but enabled on TLS
- connections).</p>
- <p>Mitigation: Users should upgrade their Apache Qpid Broker for Java
- to version 6.0.3 or later. If this is not possible, users
- can disable the PLAIN mechanism for their authentication
- manager on versions 0.32 and later by adding "PLAIN" to the
- list of disabledMechanisms on their authentication provider
- object.<br/>Note that the SimpleLDAP authentication provider
- requires PLAIN and so this work around does not apply
- there.</p>
- <p>Credit: This issue was discovered by Alex Szczuczko of
- Red Hat, Inc.</p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271">QPID-7271</a></p>
- </div>
- </td>
- </tr>
- <tr>
- <td>CVE-2016-8741</td>
- <td>Moderate</td>
- <td>6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</td>
- <td><a href="{{site_url}}/releases/qpid-java-6.0.6/">6.0.6</a>, <a href="{{site_url}}/releases/qpid-java-6.1.1/">6.1.1</a></td>
- <td>
- Information Leakage.
- <a id="CVE-2016-8741_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-8741_details', controlId:'CVE-2016-8741_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-8741_details">
- <p>Versions Affected: Apache Qpid Broker for Java versions 6.0.1,
- 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0</p>
- <p>Description: The Qpid Broker for Java can be configured to use different so
- called AuthenticationProviders to handle user authentication.<br/>
- Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256
- AuthenticationProvider types.
-
- It was discovered that these AuthenticationProviders prematurely
- terminate the SCRAM SASL negotiation if the provided user name
- does not exist thus allowing remote attacker to determine the
- existence of user accounts.<br/>
-
- The Vulnerability does not apply to AuthenticationProviders other
- than SCRAM-SHA-1 and SCRAM-SHA-256.</p>
- <p>Mitigation: Users should upgrade the Qpid Broker for Java to version 6.0.6,
- 6.1.1, or later (recommended).
- If upgrading is not possible, the vulnerability can be mitigated
- by using an AuthenticationProvider other than SCRAM-SHA-1 and
- SCRAM-SHA-256. </p>
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7599">QPID-7599</a></p>
- </div>
- </td>
- </tr>
- </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details for other components.
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-3094]({{site_url}}/cves/CVE-2016-3094.html) | Important | 6.0.0, 6.0.1, and 6.0.2 | 6.0.3 | Denial of service |
+| [CVE-2016-4432]({{site_url}}/cves/CVE-2016-4432.html) | Important | 6.0.2 and earlier | 6.0.3 | Authentication bypass |
+| [CVE-2016-8741]({{site_url}}/cves/CVE-2016-8741.html) | Moderate | 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0 | 6.0.6, 6.1.1 | Information leakage |
+
+See the main [security]({{site_url}}/security.html) page for general
+information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/amqp-0-x.md
----------------------------------------------------------------------
diff --git a/input/components/jms/amqp-0-x.md b/input/components/jms/amqp-0-x.md
index f31bc1c..74f271f 100644
--- a/input/components/jms/amqp-0-x.md
+++ b/input/components/jms/amqp-0-x.md
@@ -40,3 +40,7 @@ The client is also available [via Maven]({{site_url}}/maven.html).
- [Browse via GitHub](https://github.com/apache/qpid-jms-amqp-0-x)
- [Git clone URL](https://git-wip-us.apache.org/repos/asf/qpid-jms-amqp-0-x.git)
+
+## Resources
+
+ - [Security](security.html)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/index.md
----------------------------------------------------------------------
diff --git a/input/components/jms/index.md b/input/components/jms/index.md
index 494be4a..6df665f 100644
--- a/input/components/jms/index.md
+++ b/input/components/jms/index.md
@@ -80,6 +80,7 @@ For details about the AMQP 0-x JMS client, look [here](amqp-0-x.html).
## Resources
+ - [Security](security.html)
- [AMQP 0-x JMS Client](amqp-0-x.html)
</div>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/security-0-x.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md
deleted file mode 100644
index cc491f5..0000000
--- a/input/components/jms/security-0-x.md
+++ /dev/null
@@ -1,72 +0,0 @@
-;;
-;; Licensed to the Apache Software Foundation (ASF) under one
-;; or more contributor license agreements. See the NOTICE file
-;; distributed with this work for additional information
-;; regarding copyright ownership. The ASF licenses this file
-;; to you under the Apache License, Version 2.0 (the
-;; "License"); you may not use this file except in compliance
-;; with the License. You may obtain a copy of the License at
-;;
-;; http://www.apache.org/licenses/LICENSE-2.0
-;;
-;; Unless required by applicable law or agreed to in writing,
-;; software distributed under the License is distributed on an
-;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-;; KIND, either express or implied. See the License for the
-;; specific language governing permissions and limitations
-;; under the License.
-;;
-
-# Security
-
-<section markdown="1">
-
-## AMQP 0-x JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10)
-
-<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4974</td>
- <td>Moderate</td>
- <td>6.0.3 and earlier</td>
- <td>6.0.4 and later</a></td>
- <td>
- Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-4974_details">
- <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are
- subject to the behaviour of any object deserialization during the process
- of constructing the body to return. Unless the application has taken outside
- steps to limit the deserialization process, they can't protect against
- input that might try to make undesired use of classes available on the
- application classpath that might be vulnerable to exploitation.
- In order to exploit this vulnerability, an attacker would need
- to be able to inject a suitably crafted AMQP message containing the
- malicious JMS Object Message into the AMQP message network. For this,
- the attacker would require valid authentication credentials and
- suitable authorisation.</p>
-
- <p> Mitigation: Users using ObjectMessage can upgrade to Qpid
- AMQP 0-x JMS client 6.0.4 or or later, and use the new
- configuration options to whitelist trusted content permitted for
- deserialization. When so configured, attempts to deserialize input
- containing other content will be prevented. Alternatively, users of older
- client releases may utilise other means such as agent-based approaches to help
- govern content permitted for deserialization in their application.</p>
-
- <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p>
-
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7323">QPID-7323</a></p>
- </div>
- </td>
- </tr>
- </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/components/jms/security.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security.md b/input/components/jms/security.md
index d201737..aea2c25 100644
--- a/input/components/jms/security.md
+++ b/input/components/jms/security.md
@@ -19,54 +19,17 @@
# Security
-<section markdown="1">
+## AMQP 1.0 JMS
-## JMS Client (AMQP 1.0)
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage |
-<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4974</td>
- <td>Moderate</td>
- <td>0.9.0 and earlier</td>
- <td>0.10.0 and later</a></td>
- <td>
- Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-4974_details">
- <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are
- subject to the behaviour of any object deserialization during the process
- of constructing the body to return. Unless the application has taken outside
- steps to limit the deserialization process, they can't protect against
- input that might try to make undesired use of classes available on the
- application classpath that might be vulnerable to exploitation.
- In order to exploit this vulnerability, an attacker would need
- to be able to inject a suitably crafted AMQP message containing the
- malicious JMS Object Message into the AMQP message network. For this,
- the attacker would require valid authentication credentials and
- suitable authorisation.</p>
+## AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)
- <p> Mitigation: Users using ObjectMessage can upgrade to
- Qpid JMS client 0.10.0 or later, and use the new
- configuration options to whitelist trusted content permitted for
- deserialization. When so configured, attempts to deserialize input
- containing other content will be prevented. Alternatively, users of older
- client releases may utilise other means such as agent-based approaches to help
- govern content permitted for deserialization in their application.</p>
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage |
- <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p>
-
- <p>References: <a href="https://issues.apache.org/jira/browse/QPIDJMS-188">QPIDJMS-188</a></p>
- </div>
- </td>
- </tr>
- </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details for other components.
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2014-3629.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2014-3629.md b/input/cves/CVE-2014-3629.md
new file mode 100644
index 0000000..a245dfe
--- /dev/null
+++ b/input/cves/CVE-2014-3629.md
@@ -0,0 +1,53 @@
+# CVE-2014-3629
+
+## Severity
+
+Low
+
+## Affected components
+
+Qpid C++ broker
+
+## Affected versions
+
+0.30 and earlier
+
+## Fixed versions
+
+0.32 and later
+
+## Description
+
+Qpidd can be induced to make http requests.
+
+The XML exchange type is an optional, dynamically loaded module for
+qpidd that allows creation of exchanges that route messages based on
+evaluating an xquery expression against them.
+
+On parsing a message sent to an XML exchange, whose body is XML
+containing a link to a DTD, the broker process will attempt to
+retrieve the referenced resource(s). I.e. the broker process may be
+induced to make outgoing HTTP connections by publishing a message
+containing links to an XML exchange.
+
+## Resolution
+
+A patch is available that prevents any retrieval of external entities
+referenced in the XML. This will be included in subsequent releases,
+but can be applied to 0.30 if desired.
+
+## Mitigation
+
+If the XML exchange functionality is not required, the module in
+question need not be loaded at all. This can be done either by moving
+the module - named xml.so - out of the module directory, or by setting
+the --no-module-dir option and adding an explicit --load-module
+argument for every required module.
+
+Where the XML exchange functionality is required, authorisation may be
+enabled to prevent all but trusted users from creating or publishing
+to xml exchanges.
+
+## Credit
+
+This issue was discovered by G. Geshev from MWR Labs.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0203.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2015-0203.md b/input/cves/CVE-2015-0203.md
new file mode 100644
index 0000000..e9d9eb3
--- /dev/null
+++ b/input/cves/CVE-2015-0203.md
@@ -0,0 +1,64 @@
+# CVE-2015-0203
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid C++ broker
+
+## Affected versions
+
+0.30 and earlier
+
+## Fixed versions
+
+0.32 and later
+
+## Description
+
+Qpidd can be crashed by an authenticated user.
+
+Certain unexpected protocol sequences cause the broker process to
+crash due to insufficient checking. Three distinct cases were
+identified as follows:
+
+ - The AMQP 0-10 protocol defines a sequence set containing id
+ ranges. The qpidd broker can be crashed by sending it a
+ sequence-set containing an invalid range, where the start of the
+ range is after the end. This condition causes an assertion, which
+ causes the broker process to exit.
+
+ - The AMQP 0-10 protocol defines header- and body- segments that may
+ follow certain commands. The only command for which such segments
+ are expected by qpidd is the message-transfer command. If another
+ command is sent that includes header and/or body segments, this
+ will cause a segmentation fault in the broker process, causing it
+ then to exit.
+
+ - The AMQP 0-10 protocol defines a session-gap control that can be
+ sent on any established session. The qpidd broker does not support
+ this control and responds with an appropriate error if requested on
+ an established session. However, if the control is sent before the
+ session is opened, the brokers handling causes an assertion which
+ results in the broker process exiting.
+
+Authentication can be used to restrict access to the broker. However
+any authenticated user would be able to trigger this condition which
+could therefore be considered a form of denial of service.
+
+## Resolution
+
+A patch is available (QPID-6310) that handles all these errors by
+sending an exception control to the remote peer and leave the broker
+available to all other users. The fix will be included in subsequent
+releases, but can be applied to 0.30 if desired.
+
+## Credit
+
+This issue was discovered by G. Geshev from MWR Labs.
+
+## References
+
+[QPID-6310](https://issues.apache.org/jira/browse/QPID-6310)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0223.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2015-0223.md b/input/cves/CVE-2015-0223.md
new file mode 100644
index 0000000..fb8b442
--- /dev/null
+++ b/input/cves/CVE-2015-0223.md
@@ -0,0 +1,43 @@
+# CVE-2015-0233
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid C++ broker
+
+## Affected versions
+
+0.30 and earlier
+
+## Fixed versions
+
+0.32 and later
+
+## Description
+
+Anonymous access to qpidd cannot be prevented.
+
+An attacker can gain access to qpidd as an anonymous user, even if the
+ANONYMOUS mechanism is disallowed.
+
+## Resolution
+
+A patch is available (QPID-6325) that addresses this
+vulnerability. The fix will be included in subsequent releases, but
+can be applied to 0.30 if desired.
+
+## Mitigation
+
+Authorization can be used to restrict access to broker entities such
+as queue and exchanges.
+
+## Credit
+
+This issue was discovered by G. Geshev from MWR Labs.
+
+## References
+
+[QPID-6325](https://issues.apache.org/jira/browse/QPID-6325)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2015-0224.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2015-0224.md b/input/cves/CVE-2015-0224.md
new file mode 100644
index 0000000..fd5f06a
--- /dev/null
+++ b/input/cves/CVE-2015-0224.md
@@ -0,0 +1,52 @@
+# CVE-2015-0224
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid C++ broker
+
+## Affected versions
+
+0.30 and earlier
+
+## Fixed versions
+
+0.32 and later
+
+## Description
+
+Qpidd can be crashed by unauthenticated user.
+
+In CVE-2015-0203 it was announced that certain unexpected protocol
+sequences cause the broker process to crash due to insufficient
+checking, but that authentication could be used to restrict the
+exploitation of this vulnerability.
+
+It has now been discovered that in fact failing authentication does
+not necessarily prevent exploitation of those reported
+vulnerabilities.
+
+Further, it was stated that one of the specific vulnerabilities was
+that the qpidd broker can be crashed by sending it a sequence-set
+containing an invalid range, where the start of the range is after the
+end. This was an incorrect analysis of the vulnerability, which is in
+fact caused by a sequence-set containing a single range expressing the
+maximum possible gap.
+
+## Resolution
+
+A further patch is available that handles a range expressing the
+maximum possible gap without assertion (QPID-6310). The fix will be
+included in subsequent releases, but can be applied to 0.30 if
+desired.
+
+## Credit
+
+This issue was discovered by G. Geshev from MWR Labs.
+
+## References
+
+[QPID-6310](https://issues.apache.org/jira/browse/QPID-6310)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-2166.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-2166.md b/input/cves/CVE-2016-2166.md
new file mode 100644
index 0000000..5c68c91
--- /dev/null
+++ b/input/cves/CVE-2016-2166.md
@@ -0,0 +1,66 @@
+# CVE-2016-2166
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid Proton
+
+## Affected versions
+
+0.9 through 0.12.0 inclusive
+
+## Fixed versions
+
+0.12.1 and later
+
+## Description
+
+Python bindings silently ignore request for amqps if SSL/TLS not
+supported.
+
+Messaging applications using the Proton Python API to provision an
+SSL/TLS encrypted TCP connection may actually instantiate a
+non-encrypted connection without notice if SSL support is
+unavailable. This will result in all messages being sent in the clear
+without the knowledge of the user.
+
+This issue affects those applications that use the Proton Reactor
+Python API to create SSL/TLS connections. Specifically the
+proton.reactor.Connector, proton.reactor.Container, and
+proton.utils.BlockingConnection classes are vulnerable. These classes
+can create an unencrypted connections if the "amqps://" URL prefix is
+used.
+
+The issue only occurs if the installed Proton libraries do not support
+SSL. This would be the case if the libraries were built without SSL
+support or the necessary SSL libraries are not present on the system
+(e.g. OpenSSL in the case of *nix).
+
+To check whether or not the Python API provides SSL support, use the
+following console command:
+
+ python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')"
+
+In addition, the issue can only occur if both ends of the connection
+connect without SSL. This would be the case if the vulnerability is
+active on both ends of the connection, or the non-affected endpoint
+allows cleartext connections.
+
+## Resolution
+
+Proton release 0.12.1 resolves this issue by raising an SSLUnavailable
+exception when SSL is not available and a SSL/TLS connection is
+requested via the "amqps://" URL prefix.
+
+A patch is also available.
+
+## Credit
+
+This issue was discovered by M. Farrellee from Red Hat.
+
+## References
+
+[PROTON-1157](https://issues.apache.org/jira/browse/PROTON-1157)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-3094.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-3094.md b/input/cves/CVE-2016-3094.md
new file mode 100644
index 0000000..fa20122
--- /dev/null
+++ b/input/cves/CVE-2016-3094.md
@@ -0,0 +1,55 @@
+# CVE-2016-3094
+
+## Severity
+
+Important
+
+## Affected components
+
+Broker for Java
+
+## Affected versions
+
+6.0.0, 6.0.1, and 6.0.2
+
+## Fixed versions
+
+[6.0.3]({{site_url}}/releases/qpid-java-6.0.3/index.html)
+
+## Description
+
+Denial of Service.
+
+A malformed authentication attempt may cause the broker to terminate.
+The Apache Qpid Broker for Java supports a number of configurable
+authentication providers each supporting various SASL mechanisms. Some
+mechanisms need (or can be configured to accept) plain-text passwords
+being sent to the Broker (using the SASL "PLAIN" mechanism). Where
+the broker has been configured to allow plain-text passwords for
+authentication it is possible for a client to send a malformed
+authentication attempt which will lead the broker to terminate due to
+an uncaught Exception.
+
+Brokers configured to use authentication from the "PlainPasswordFile",
+"SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if
+the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled
+on non-TLS ports, but enabled on TLS connections).
+
+## Mitigation
+
+Users should upgrade their Apache Qpid Broker for Java to
+version 6.0.3 or later. If this is not possible, users can disable
+the PLAIN mechanism for their authentication manager on versions 0.32
+and later by adding "PLAIN" to the list of disabledMechanisms on their
+authentication provider object.
+
+Note that the SimpleLDAP authentication provider requires PLAIN and so
+this work around does not apply there.
+
+## Credit
+
+This issue was discovered by Alex Szczuczko of Red Hat, Inc.
+
+## References
+
+[QPID-7271](https://issues.apache.org/jira/browse/QPID-7271)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4432.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-4432.md b/input/cves/CVE-2016-4432.md
new file mode 100644
index 0000000..b67ba8b
--- /dev/null
+++ b/input/cves/CVE-2016-4432.md
@@ -0,0 +1,52 @@
+# CVE-2016-4432
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Broker for Java
+
+## Affected versions
+
+6.0.2 and earlier
+
+## Fixed versions
+
+[6.0.3]({{site_url}}/releases/qpid-java-6.0.3/index.html)
+
+## Description
+
+The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and
+0-10 connections contains a flaw that allows authentication to be
+bypassed. An remote attacker can exploit this vulnerability to
+perform actions, without the need to specify valid credentials. For
+instance, unauthorised messages could be injected or messages stolen.
+
+The vulnerability cannot be exploited if the Access Control List (ACL)
+feature is enabled AND access to all virtual hosts controlled.
+
+The vulnerability does not apply to the Broker's AMQP 1.0 support.
+
+The vulnerability does not apply if the Broker is configured to
+require SSL client authentication for all messaging connections.
+
+## Resolution
+
+Users should upgrade the Apache Qpid Broker for Java to
+version 6.0.3 or later (recommended).
+
+## Mitigation
+
+If upgrading is not possible, the vulnerability can be mitigated using
+an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists
+user access to all virtualhosts.
+
+If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the
+vulnerability can also be mitigated by turning off these protocols at
+the Port level.
+
+## References
+
+[QPID-7257](https://issues.apache.org/jira/browse/QPID-7257)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4467.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-4467.md b/input/cves/CVE-2016-4467.md
new file mode 100644
index 0000000..a110b04
--- /dev/null
+++ b/input/cves/CVE-2016-4467.md
@@ -0,0 +1,63 @@
+# CVE-2016-4467
+
+## Severity
+
+Medium
+
+## Affected components
+
+Qpid Proton
+
+## Affected versions
+
+0.8 through 0.13.0 inclusive
+
+## Fixed versions
+
+0.13.1 and later
+
+## Description
+
+Failure to verify that the server host name matches the certificate
+host name on Windows.
+
+Messaging applications using the Proton C library to provide SSL/TLS
+authentication on Windows can falsely authenticate a server whose name
+does not match the server name in the connection specifier. Proton C
+bindings are affected to a greater or lesser degree depending on how
+they use the underlying Proton C library.
+
+In Proton C, this can only happen if PN_SSL_VERIFY_PEER_NAME has been
+specified as the verification mode and pn_ssl_set_peer_hostname() has
+not been called at all or has been called with a NULL value for a
+particular pn_ssl_t object.
+
+In the Proton C++ binding, this will always happen unless the
+application has separately specified a virtual_host name for an
+SSL/TLS connection.
+
+In the Proton Python and Ruby bindings, this will only happen if the
+application has separately specified a NULL virtual_host name for an
+SSL/TLS connection after creating the connection but before the
+authentication step.
+
+This issue only occurs on Windows versions of Proton that use the
+default SChannel-based security layer.
+
+In any of the preceding cases, it is possible for a man-in-the-middle
+attacker to spoof an SSL/TLS server if they had a certificate that was
+valid for any of the application's Certificate Authorities.
+
+## Resolution
+
+Proton release 0.13.1 resolves this issue in the SChannel-based
+security layer by obtaining a default non-NULL peer hostname from the
+associated connection address when initialized and by always failing
+hostname verification if PN_SSL_VERIFY_PEER_NAME has been specified
+along with a NULL peer hostname. This resolution matches the
+associated behaviour of the OpenSSL-based security layer.
+
+## References
+
+[PROTON-1228](https://issues.apache.org/jira/browse/PROTON-1228) and
+[PROTON-1233](https://issues.apache.org/jira/browse/PROTON-1233)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-4974.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-4974.md b/input/cves/CVE-2016-4974.md
new file mode 100644
index 0000000..4230cf0
--- /dev/null
+++ b/input/cves/CVE-2016-4974.md
@@ -0,0 +1,52 @@
+# CVE-2016-4974
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid JMS
+
+## Affected versions
+
+0.9.0 and earlier
+
+## Fixed versions
+
+0.10.0 and later
+
+## Description
+
+Deserialization of untrusted input while using JMS ObjectMessage.
+
+When applications call getObject() on a consumed JMS ObjectMessage
+they are subject to the behaviour of any object deserialization during
+the process of constructing the body to return. Unless the application
+has taken outside steps to limit the deserialization process, they
+can't protect against input that might try to make undesired use of
+classes available on the application classpath that might be
+vulnerable to exploitation. In order to exploit this vulnerability, an
+attacker would need to be able to inject a suitably crafted AMQP
+message containing the malicious JMS Object Message into the AMQP
+message network. For this, the attacker would require valid
+authentication credentials and suitable authorisation.
+
+## Mitigation
+
+Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or
+later, and use the new configuration options to whitelist trusted
+content permitted for deserialization. When so configured, attempts to
+deserialize input containing other content will be
+prevented. Alternatively, users of older client releases may utilise
+other means such as agent-based approaches to help govern content
+permitted for deserialization in their application.
+
+## Credit
+
+This issue was discovered by Matthias Kaiser of Code White
+(www.code-white.com).
+
+## References
+
+[QPIDJMS-188](https://issues.apache.org/jira/browse/QPIDJMS-188)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/CVE-2016-8741.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-8741.md b/input/cves/CVE-2016-8741.md
new file mode 100644
index 0000000..d1d448e
--- /dev/null
+++ b/input/cves/CVE-2016-8741.md
@@ -0,0 +1,47 @@
+# CVE-2016-8741
+
+## Severity
+
+Moderate
+
+## Affected components
+
+Qpid Broker for Java
+
+## Affected versions
+
+6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.1.0
+
+## Fixed versions
+
+[6.0.6]({{site_url}}/releases/qpid-java-6.0.6/index.html), [6.1.1]({{site_url}}/releases/qpid-java-6.1.1/index.html)
+
+## Description
+
+Information Leakage.
+
+The Qpid Broker for Java can be configured to use different so called
+AuthenticationProviders to handle user authentication. Among the
+choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider
+types.
+
+It was discovered that these AuthenticationProviders prematurely
+terminate the SCRAM SASL negotiation if the provided user name does
+not exist thus allowing remote attacker to determine the existence of
+user accounts.
+
+The Vulnerability does not apply to AuthenticationProviders other than
+SCRAM-SHA-1 and SCRAM-SHA-256.
+
+## Mitigation
+
+Users should upgrade the Qpid Broker for Java to version 6.0.6,
+6.1.1, or later (recommended).
+
+If upgrading is not possible, the vulnerability can be mitigated by
+using an AuthenticationProvider other than SCRAM-SHA-1 and
+SCRAM-SHA-256.
+
+## References
+
+[QPID-7599](https://issues.apache.org/jira/browse/QPID-7599)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/cves/template.md
----------------------------------------------------------------------
diff --git a/input/cves/template.md b/input/cves/template.md
new file mode 100644
index 0000000..682d39c
--- /dev/null
+++ b/input/cves/template.md
@@ -0,0 +1,23 @@
+# CVE-YYYY-NNNN
+
+## Severity
+
+Important
+Moderate
+Low
+
+## Affected components
+
+## Affected versions
+
+## Fixed versions
+
+## Description
+
+## Resolution
+
+## Mitigation
+
+## Credit
+
+## References
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/proton/index.md
----------------------------------------------------------------------
diff --git a/input/proton/index.md b/input/proton/index.md
index d99fcad..920e25f 100644
--- a/input/proton/index.md
+++ b/input/proton/index.md
@@ -88,6 +88,7 @@ platform, environment, or language. More about
## Resources
+ - [Security](security.html)
- [Contributing to Proton](submitting-patches.html)
- [Proton Messenger](messenger.html)
- [Proton wiki pages](https://cwiki.apache.org/confluence/display/qpid/proton)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org