Does CVE-2015-0203 affect 0.28 Java broker?

[rammohan ganapavarapu <ra...@gmail.com>]

Hi,

Does CVE-2015-0203 (https://bugzilla.redhat.com/show_bug.cgi?id=1181721)
affect 0.28 Java broker?

Thanks,
Ram

Re: Does CVE-2015-0203 affect 0.28 Java broker?

[rammohan ganapavarapu <ra...@gmail.com>]

Thank you Rob

On Wed, Dec 16, 2015 at 3:50 PM, Rob Godfrey <ro...@gmail.com>
wrote:

> No - the code-bases for Java and C++ are completely distinct, so it
> normally makes no sense to talk about whether a CVE affects both products.
> Each product should be tested separately for security issues.  Looking at
> the details of the particular CVE you referenced, the Java code does not
> use asserts, and invalid protocols sequences will generate exceptions which
> will cause the Connection to be closed, but will not bring down the broker.
>
> -- Rob
>
> On 16 December 2015 at 23:40, rammohan ganapavarapu <
> rammohanganap@gmail.com
> > wrote:
>
> > Rob,
> >
> > Thank you for quick reply, do we have any doc which says java broker is
> > unaffected just in case if any one asks for any documents related to it?
> >
> > Ram
> >
> > On Wed, Dec 16, 2015 at 3:31 PM, Rob Godfrey <ro...@gmail.com>
> > wrote:
> >
> > > As per my previous mail - no, that CVE is specific to the C++ broker.
> The
> > > Java Broker is unaffected.
> > >
> > > -- Rob
> > >
> > > On 16 December 2015 at 23:29, rammohan ganapavarapu <
> > > rammohanganap@gmail.com
> > > > wrote:
> > >
> > > > Hi,
> > > >
> > > > Does CVE-2015-0203 (
> > https://bugzilla.redhat.com/show_bug.cgi?id=1181721)
> > > > affect 0.28 Java broker?
> > > >
> > > > Thanks,
> > > > Ram
> > > >
> > >
> >
>

Re: Does CVE-2015-0203 affect 0.28 Java broker?

[Rob Godfrey <ro...@gmail.com>]

No - the code-bases for Java and C++ are completely distinct, so it
normally makes no sense to talk about whether a CVE affects both products.
Each product should be tested separately for security issues.  Looking at
the details of the particular CVE you referenced, the Java code does not
use asserts, and invalid protocols sequences will generate exceptions which
will cause the Connection to be closed, but will not bring down the broker.

-- Rob

On 16 December 2015 at 23:40, rammohan ganapavarapu <rammohanganap@gmail.com
> wrote:

> Rob,
>
> Thank you for quick reply, do we have any doc which says java broker is
> unaffected just in case if any one asks for any documents related to it?
>
> Ram
>
> On Wed, Dec 16, 2015 at 3:31 PM, Rob Godfrey <ro...@gmail.com>
> wrote:
>
> > As per my previous mail - no, that CVE is specific to the C++ broker. The
> > Java Broker is unaffected.
> >
> > -- Rob
> >
> > On 16 December 2015 at 23:29, rammohan ganapavarapu <
> > rammohanganap@gmail.com
> > > wrote:
> >
> > > Hi,
> > >
> > > Does CVE-2015-0203 (
> https://bugzilla.redhat.com/show_bug.cgi?id=1181721)
> > > affect 0.28 Java broker?
> > >
> > > Thanks,
> > > Ram
> > >
> >
>

Re: Does CVE-2015-0203 affect 0.28 Java broker?

[rammohan ganapavarapu <ra...@gmail.com>]

Rob,

Thank you for quick reply, do we have any doc which says java broker is
unaffected just in case if any one asks for any documents related to it?

Ram

On Wed, Dec 16, 2015 at 3:31 PM, Rob Godfrey <ro...@gmail.com>
wrote:

> As per my previous mail - no, that CVE is specific to the C++ broker. The
> Java Broker is unaffected.
>
> -- Rob
>
> On 16 December 2015 at 23:29, rammohan ganapavarapu <
> rammohanganap@gmail.com
> > wrote:
>
> > Hi,
> >
> > Does CVE-2015-0203 (https://bugzilla.redhat.com/show_bug.cgi?id=1181721)
> > affect 0.28 Java broker?
> >
> > Thanks,
> > Ram
> >
>

Re: Does CVE-2015-0203 affect 0.28 Java broker?

[Rob Godfrey <ro...@gmail.com>]

As per my previous mail - no, that CVE is specific to the C++ broker. The
Java Broker is unaffected.

-- Rob

On 16 December 2015 at 23:29, rammohan ganapavarapu <rammohanganap@gmail.com
> wrote:

> Hi,
>
> Does CVE-2015-0203 (https://bugzilla.redhat.com/show_bug.cgi?id=1181721)
> affect 0.28 Java broker?
>
> Thanks,
> Ram
>