You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2018/11/12 10:52:30 UTC
qpid-site git commit: update site content for CVE-2018-17187
Repository: qpid-site
Updated Branches:
refs/heads/asf-site 5404ff5f2 -> badac501e
update site content for CVE-2018-17187
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/badac501
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/badac501
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/badac501
Branch: refs/heads/asf-site
Commit: badac501e58fcdeccb1ab064806c8815d1749537
Parents: 5404ff5
Author: Robbie Gemmell <ro...@apache.org>
Authored: Mon Nov 12 10:47:13 2018 +0000
Committer: Robbie Gemmell <ro...@apache.org>
Committed: Mon Nov 12 10:47:13 2018 +0000
----------------------------------------------------------------------
content/cves/CVE-2018-17187.html | 201 +++++++++++++++++++
content/proton/index.html | 1 +
content/proton/security-j.html | 169 ++++++++++++++++
.../qpid-proton-j-0.30.0/release-notes.html | 3 +
content/security.html | 1 +
input/cves/CVE-2018-17187.md | 57 ++++++
input/proton/index.md | 1 +
input/proton/security-j.md | 27 +++
.../qpid-proton-j-0.30.0/release-notes.md | 4 +-
input/security.md | 1 +
10 files changed, 464 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/cves/CVE-2018-17187.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2018-17187.html b/content/cves/CVE-2018-17187.html
new file mode 100644
index 0000000..7ceaab4
--- /dev/null
+++ b/content/cves/CVE-2018-17187.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2018-17187-transport-tls-wrapper-hostname-verification-mode-not-implemented">CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Proton-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.3 to 0.29.0</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.30.0</p>
+
+<h2 id="description">Description</h2>
+
+<p>The Proton-J transport includes an optional wrapper layer to perform TLS,
+enabled by use of the 'transport.ssl(...)' methods. Unless a verification
+mode was explicitly configured, client and server modes previously defaulted
+as documented to not verifying a peer certificate, with options to
+configure this explicitly or select a certificate verification mode with or
+without hostname verification being performed.</p>
+
+<p>The latter hostname verifying mode was not previously implemented, with
+attempts to use it resulting in an exception. This left only the option to
+verify the certificate is trusted, leaving such a client vulnerable to
+Man In The Middle (MITM) attack.</p>
+
+<p>Uses of the Proton-J protocol engine which do not utilise the optional
+transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Uses of Proton-J utilising the optional transport TLS wrapper layer that
+wish to enable hostname verification must be upgraded to version 0.30.0 or
+later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
+now the default for client mode usage unless configured otherwise.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrading is not currently possible then potential workarounds include
+providing a custom SSLContext which enables hostname verification, or
+omitting use of the 'transport.ssl(...)' methods and performing TLS through
+other means such as utilising existing IO framework support or supplying a
+custom transport wrapper layer.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/PROTON-1962">PROTON-1962</a></p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was reported by Peter Stockli of Alphabot Security.</p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/index.html
----------------------------------------------------------------------
diff --git a/content/proton/index.html b/content/proton/index.html
index 816ea63..f9696c0 100644
--- a/content/proton/index.html
+++ b/content/proton/index.html
@@ -203,6 +203,7 @@ platform, environment, or language. More about
<ul>
<li><a href="security.html">Security</a></li>
+<li><a href="security-j.html">Security - Proton-J</a></li>
<li><a href="submitting-patches.html">Contributing to Proton</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/proton">Proton wiki pages</a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/security-j.html
----------------------------------------------------------------------
diff --git a/content/proton/security-j.html b/content/proton/security-j.html
new file mode 100644
index 0000000..ab4b962
--- /dev/null
+++ b/content/proton/security-j.html
@@ -0,0 +1,169 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>Security - Proton-J - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/proton/index.html">Qpid Proton</a></li><li>Security - Proton-J</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="security-proton-j">Security - Proton-J</h1>
+
+<table>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2018-17187.html">CVE-2018-17187</a></td>
+ <td>Important</td>
+ <td>0.3 to 0.29.0 inclusive</td>
+ <td>0.30.0 and later</td>
+ <td>Transport TLS wrapper hostname verification mode not implemented</td>
+</tr>
+</tbody>
+</table>
+
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/releases/qpid-proton-j-0.30.0/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-proton-j-0.30.0/release-notes.html b/content/releases/qpid-proton-j-0.30.0/release-notes.html
index f726b18..65fac66 100644
--- a/content/releases/qpid-proton-j-0.30.0/release-notes.html
+++ b/content/releases/qpid-proton-j-0.30.0/release-notes.html
@@ -122,6 +122,8 @@ about <a href="/proton/index.html">Qpid Proton</a>.</p>
<p>For more information about this release, including download links and
documentation, see the <a href="index.html">release overview</a>.</p>
+<p><strong>Note</strong>: This release addresses security issue <a href="/cves/CVE-2018-17187.html">CVE-2018-17187</a>, around hostname verification mode not being implemented in the optional transport TLS wrapper. Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.</p>
+
<h2 id="new-features-and-improvements">New features and improvements</h2>
<ul>
@@ -136,6 +138,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
<ul>
<li><a href="https://issues.apache.org/jira/browse/PROTON-1938">PROTON-1938</a> - misaligned Transport set/getErrorCondition and closed() behaviour</li>
<li><a href="https://issues.apache.org/jira/browse/PROTON-1958">PROTON-1958</a> - incorrect ordering for reactor timer tasks with matching deadlines</li>
+<li><a href="https://issues.apache.org/jira/browse/PROTON-1962">PROTON-1962</a> - [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented</li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/security.html
----------------------------------------------------------------------
diff --git a/content/security.html b/content/security.html
index 4508351..83dddb1 100644
--- a/content/security.html
+++ b/content/security.html
@@ -141,6 +141,7 @@ Qpid components are detailed at:</p>
<li><a href="/components/jms/security.html">JMS client</a></li>
<li><a href="/components/jms/security-0-x.html">AMQP 0-x JMS client</a></li>
<li><a href="/proton/security.html">Proton</a></li>
+<li><a href="/proton/security-j.html">Proton-J</a></li>
</ul>
</section>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/cves/CVE-2018-17187.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2018-17187.md b/input/cves/CVE-2018-17187.md
new file mode 100644
index 0000000..7df61cc
--- /dev/null
+++ b/input/cves/CVE-2018-17187.md
@@ -0,0 +1,57 @@
+# CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Proton-J
+
+## Affected versions
+
+0.3 to 0.29.0
+
+## Fixed versions
+
+0.30.0
+
+## Description
+
+The Proton-J transport includes an optional wrapper layer to perform TLS,
+enabled by use of the 'transport.ssl(...)' methods. Unless a verification
+mode was explicitly configured, client and server modes previously defaulted
+as documented to not verifying a peer certificate, with options to
+configure this explicitly or select a certificate verification mode with or
+without hostname verification being performed.
+
+The latter hostname verifying mode was not previously implemented, with
+attempts to use it resulting in an exception. This left only the option to
+verify the certificate is trusted, leaving such a client vulnerable to
+Man In The Middle (MITM) attack.
+
+Uses of the Proton-J protocol engine which do not utilise the optional
+transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.
+
+## Resolution
+
+Uses of Proton-J utilising the optional transport TLS wrapper layer that
+wish to enable hostname verification must be upgraded to version 0.30.0 or
+later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
+now the default for client mode usage unless configured otherwise.
+
+## Mitigation
+
+If upgrading is not currently possible then potential workarounds include
+providing a custom SSLContext which enables hostname verification, or
+omitting use of the 'transport.ssl(...)' methods and performing TLS through
+other means such as utilising existing IO framework support or supplying a
+custom transport wrapper layer.
+
+## References
+
+[PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962)
+
+## Credit
+
+This issue was reported by Peter Stockli of Alphabot Security.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/index.md
----------------------------------------------------------------------
diff --git a/input/proton/index.md b/input/proton/index.md
index bc810d5..bb3e406 100644
--- a/input/proton/index.md
+++ b/input/proton/index.md
@@ -89,6 +89,7 @@ platform, environment, or language. More about
## Resources
- [Security](security.html)
+ - [Security - Proton-J](security-j.html)
- [Contributing to Proton](submitting-patches.html)
- [Proton wiki pages](https://cwiki.apache.org/confluence/display/qpid/proton)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/security-j.md
----------------------------------------------------------------------
diff --git a/input/proton/security-j.md b/input/proton/security-j.md
new file mode 100644
index 0000000..7925e16
--- /dev/null
+++ b/input/proton/security-j.md
@@ -0,0 +1,27 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security - Proton-J
+
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html) | Important | 0.3 to 0.29.0 inclusive | 0.30.0 and later | Transport TLS wrapper hostname verification mode not implemented |
+
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/releases/qpid-proton-j-0.30.0/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-proton-j-0.30.0/release-notes.md b/input/releases/qpid-proton-j-0.30.0/release-notes.md
index 3d0cb9a..5df8957 100644
--- a/input/releases/qpid-proton-j-0.30.0/release-notes.md
+++ b/input/releases/qpid-proton-j-0.30.0/release-notes.md
@@ -25,6 +25,7 @@ about [Qpid Proton]({{site_url}}/proton/index.html).
For more information about this release, including download links and
documentation, see the [release overview](index.html).
+**Note**: This release addresses security issue [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html), around hostname verification mode not being implemented in the optional transport TLS wrapper. Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.
## New features and improvements
@@ -36,4 +37,5 @@ documentation, see the [release overview](index.html).
## Bugs fixed
- [PROTON-1938](https://issues.apache.org/jira/browse/PROTON-1938) - misaligned Transport set/getErrorCondition and closed() behaviour
- - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering for reactor timer tasks with matching deadlines
\ No newline at end of file
+ - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering for reactor timer tasks with matching deadlines
+ - [PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962) - [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 5453ae9..bcd7427 100644
--- a/input/security.md
+++ b/input/security.md
@@ -39,6 +39,7 @@ Qpid components are detailed at:
- [JMS client]({{site_url}}/components/jms/security.html)
- [AMQP 0-x JMS client]({{site_url}}/components/jms/security-0-x.html)
- [Proton]({{site_url}}/proton/security.html)
+ - [Proton-J]({{site_url}}/proton/security-j.html)
</section>
</div>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org