You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2017/05/16 16:46:06 UTC
qpid-site git commit: QPID-7756: make the AMQP 1.0 and AMQP 0-x JMS
client details independent again, fix the versions etc for the latter
Repository: qpid-site
Updated Branches:
refs/heads/asf-site 891f697bd -> 0ddc412a6
QPID-7756: make the AMQP 1.0 and AMQP 0-x JMS client details independent again, fix the versions etc for the latter
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/0ddc412a
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/0ddc412a
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/0ddc412a
Branch: refs/heads/asf-site
Commit: 0ddc412a6d28a8af9c99de1560e1dac211ba3045
Parents: 891f697
Author: Robert Gemmell <ro...@apache.org>
Authored: Tue May 16 17:45:37 2017 +0100
Committer: Robert Gemmell <ro...@apache.org>
Committed: Tue May 16 17:45:37 2017 +0100
----------------------------------------------------------------------
content/components/jms/amqp-0-x.html | 8 +-
content/components/jms/security-0-x.html | 69 +++------
content/components/jms/security.html | 24 +---
content/cves/CVE-2016-4974_0-x.html | 196 ++++++++++++++++++++++++++
content/security.html | 1 +
input/components/jms/amqp-0-x.md | 4 +-
input/components/jms/security-0-x.md | 34 +++++
input/components/jms/security.md | 7 +-
input/cves/CVE-2016-4974_0-x.md | 59 ++++++++
input/security.md | 1 +
10 files changed, 324 insertions(+), 79 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/content/components/jms/amqp-0-x.html
----------------------------------------------------------------------
diff --git a/content/components/jms/amqp-0-x.html b/content/components/jms/amqp-0-x.html
index 4d5226f..52224e4 100644
--- a/content/components/jms/amqp-0-x.html
+++ b/content/components/jms/amqp-0-x.html
@@ -21,7 +21,7 @@
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
- <title>Qpid JMS for AMQP 0-9-1/0-10 - Apache Qpid™</title>
+ <title>AMQP 0-x JMS - Apache Qpid™</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
@@ -111,10 +111,10 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</div>
<div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/components/index.html">Components</a></li><li><a href="/components/jms/index.html">Qpid JMS</a></li><li>Qpid JMS for AMQP 0-9-1/0-10</li></ul>
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/components/index.html">Components</a></li><li><a href="/components/jms/index.html">Qpid JMS</a></li><li>AMQP 0-x JMS</li></ul>
<div id="-middle-content">
- <h1 id="qpid-jms-for-amqp-0-9-10-10">Qpid JMS for AMQP 0-9-1/0-10</h1>
+ <h1 id="amqp-0-x-jms">AMQP 0-x JMS</h1>
<p>A JMS 1.1 implementation supporting AMQP versions 0-10, 0-9-1, 0-9, and
0-8. For AMQP 1.0 support, use the newer <a href="index.html">Qpid JMS</a> client.</p>
@@ -168,7 +168,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<h2 id="resources">Resources</h2>
<ul>
-<li><a href="security.html">Security</a></li>
+<li><a href="security-0-x.html">Security</a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/content/components/jms/security-0-x.html
----------------------------------------------------------------------
diff --git a/content/components/jms/security-0-x.html b/content/components/jms/security-0-x.html
index 52ea2f0..cf9c0cf 100644
--- a/content/components/jms/security-0-x.html
+++ b/content/components/jms/security-0-x.html
@@ -116,57 +116,34 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<div id="-middle-content">
<h1 id="security">Security</h1>
-<section>
-
-<h2 id="amqp-0-x-jms-client-amqp-0-8-0-9-0-9-1-0-10">AMQP 0-x JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10)</h2>
+<h2 id="amqp-0-x-jms-amqp-0-8-0-9-0-9-1-0-10">AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)</h2>
<table>
- <thead>
- <tr>
- <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>CVE-2016-4974</td>
- <td>Moderate</td>
- <td>6.0.3 and earlier</td>
- <td>6.0.4 and later</a></td>
- <td>
- Deserialization of untrusted input while using JMS ObjectMessage. <a id="CVE-2016-4974_details_toggle" href="javascript:_toggleDiv({divId:'CVE-2016-4974_details', controlId:'CVE-2016-4974_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a>
- <div style="display:none;" id="CVE-2016-4974_details">
- <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are
- subject to the behaviour of any object deserialization during the process
- of constructing the body to return. Unless the application has taken outside
- steps to limit the deserialization process, they can't protect against
- input that might try to make undesired use of classes available on the
- application classpath that might be vulnerable to exploitation.
- In order to exploit this vulnerability, an attacker would need
- to be able to inject a suitably crafted AMQP message containing the
- malicious JMS Object Message into the AMQP message network. For this,
- the attacker would require valid authentication credentials and
- suitable authorisation.</p>
-
- <p> Mitigation: Users using ObjectMessage can upgrade to Qpid
- AMQP 0-x JMS client 6.0.4 or or later, and use the new
- configuration options to whitelist trusted content permitted for
- deserialization. When so configured, attempts to deserialize input
- containing other content will be prevented. Alternatively, users of older
- client releases may utilise other means such as agent-based approaches to help
- govern content permitted for deserialization in their application.</p>
-
- <p> Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)</p>
-
- <p>References: <a href="https://issues.apache.org/jira/browse/QPID-7323">QPID-7323</a></p>
- </div>
- </td>
- </tr>
- </tbody>
+<thead>
+<tr>
+ <th>CVE-ID</th>
+ <th>Severity</th>
+ <th>Affected versions</th>
+ <th>Fixed versions</th>
+ <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td><a href="/cves/CVE-2016-4974_0-x.html">CVE-2016-4974</a></td>
+ <td>Moderate</td>
+ <td>6.0.3 and earlier</td>
+ <td>6.0.4 and later</td>
+ <td>Deserialization of untrusted input while using JMS ObjectMessage</td>
+</tr>
+</tbody>
</table>
-</section>
+<p>See the <a href="/components/jms/security.html">Qpid JMS Security</a> page
+for details of the AMQP 1.0 JMS client.</p>
-<p>See the main <a href="/security.html">Security</a> page for general information and details for other components.</p>
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
<hr/>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/content/components/jms/security.html
----------------------------------------------------------------------
diff --git a/content/components/jms/security.html b/content/components/jms/security.html
index d52ca19..d25781e 100644
--- a/content/components/jms/security.html
+++ b/content/components/jms/security.html
@@ -139,28 +139,8 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</tbody>
</table>
-<h2 id="amqp-0-x-jms-amqp-0-8-0-9-0-9-1-0-10">AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)</h2>
-
-<table>
-<thead>
-<tr>
- <th>CVE-ID</th>
- <th>Severity</th>
- <th>Affected versions</th>
- <th>Fixed versions</th>
- <th>Summary</th>
-</tr>
-</thead>
-<tbody>
-<tr>
- <td><a href="/cves/CVE-2016-4974.html">CVE-2016-4974</a></td>
- <td>Moderate</td>
- <td>0.9.0 and earlier</td>
- <td>0.10.0 and later</td>
- <td>Deserialization of untrusted input while using JMS ObjectMessage</td>
-</tr>
-</tbody>
-</table>
+<p>See the <a href="/components/jms/security-0-x.html">AMQP 0-x JMS Security</a>
+page for details of the AMQP 0-x JMS client.</p>
<p>See the main <a href="/security.html">Security</a> page for general
information and details for other components.</p>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/content/cves/CVE-2016-4974_0-x.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2016-4974_0-x.html b/content/cves/CVE-2016-4974_0-x.html
new file mode 100644
index 0000000..f1de83e
--- /dev/null
+++ b/content/cves/CVE-2016-4974_0-x.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2016-4974 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2016-4974</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2016-4974">CVE-2016-4974</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Moderate</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>AMQP 0-x JMS</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.0.3 and earlier</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>6.0.4 and later</p>
+
+<h2 id="description">Description</h2>
+
+<p>Deserialization of untrusted input while using JMS ObjectMessage.</p>
+
+<p>When applications call getObject() on a consumed JMS ObjectMessage
+they are subject to the behaviour of any object deserialization during
+the process of constructing the body to return. Unless the application
+has taken outside steps to limit the deserialization process, they
+can't protect against input that might try to make undesired use of
+classes available on the application classpath that might be
+vulnerable to exploitation. In order to exploit this vulnerability, an
+attacker would need to be able to inject a suitably crafted AMQP
+message containing the malicious JMS Object Message into the AMQP
+message network. For this, the attacker would require valid
+authentication credentials and suitable authorisation.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4
+or or later, and use the new configuration options to whitelist trusted
+content permitted for deserialization. When so configured, attempts to
+deserialize input containing other content will be prevented.
+Alternatively, users of older client releases may utilise other means
+such as agent-based approaches to help govern content permitted for
+deserialization in their application.</p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was discovered by Matthias Kaiser of Code White
+(www.code-white.com).</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-7323">QPID-7323</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/content/security.html
----------------------------------------------------------------------
diff --git a/content/security.html b/content/security.html
index 52e7661..e2ec311 100644
--- a/content/security.html
+++ b/content/security.html
@@ -138,6 +138,7 @@ Qpid components are detailed at:</p>
<ul>
<li><a href="/components/jms/security.html">JMS client</a></li>
+<li><a href="/components/jms/security-0-x.html">AMQP 0-x JMS client</a></li>
<li><a href="/proton/security.html">Proton</a></li>
</ul>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/input/components/jms/amqp-0-x.md
----------------------------------------------------------------------
diff --git a/input/components/jms/amqp-0-x.md b/input/components/jms/amqp-0-x.md
index 74f271f..bac97f6 100644
--- a/input/components/jms/amqp-0-x.md
+++ b/input/components/jms/amqp-0-x.md
@@ -1,4 +1,4 @@
-# Qpid JMS for AMQP 0-9-1/0-10
+# AMQP 0-x JMS
A JMS 1.1 implementation supporting AMQP versions 0-10, 0-9-1, 0-9, and
0-8. For AMQP 1.0 support, use the newer [Qpid JMS](index.html) client.
@@ -43,4 +43,4 @@ The client is also available [via Maven]({{site_url}}/maven.html).
## Resources
- - [Security](security.html)
+ - [Security](security-0-x.html)
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/input/components/jms/security-0-x.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md
new file mode 100644
index 0000000..1218aa4
--- /dev/null
+++ b/input/components/jms/security-0-x.md
@@ -0,0 +1,34 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements. See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership. The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License. You may obtain a copy of the License at
+;;
+;; http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied. See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security
+
+## AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)
+
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974_0-x.html) | Moderate | 6.0.3 and earlier | 6.0.4 and later | Deserialization of untrusted input while using JMS ObjectMessage |
+
+See the [Qpid JMS Security]({{site_url}}/components/jms/security.html) page
+for details of the AMQP 1.0 JMS client.
+
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.
+
+
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/input/components/jms/security.md
----------------------------------------------------------------------
diff --git a/input/components/jms/security.md b/input/components/jms/security.md
index aea2c25..914d849 100644
--- a/input/components/jms/security.md
+++ b/input/components/jms/security.md
@@ -25,11 +25,8 @@
| ------ | -------- | ----------------- | -------------- | ------- |
| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage |
-## AMQP 0-x JMS (AMQP 0-8, 0-9, 0-9-1, 0-10)
-
-| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
-| ------ | -------- | ----------------- | -------------- | ------- |
-| [CVE-2016-4974]({{site_url}}/cves/CVE-2016-4974.html) | Moderate | 0.9.0 and earlier | 0.10.0 and later | Deserialization of untrusted input while using JMS ObjectMessage |
+See the [AMQP 0-x JMS Security]({{site_url}}/components/jms/security-0-x.html)
+page for details of the AMQP 0-x JMS client.
See the main [Security]({{site_url}}/security.html) page for general
information and details for other components.
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/input/cves/CVE-2016-4974_0-x.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2016-4974_0-x.md b/input/cves/CVE-2016-4974_0-x.md
new file mode 100644
index 0000000..d1c06f8
--- /dev/null
+++ b/input/cves/CVE-2016-4974_0-x.md
@@ -0,0 +1,59 @@
+# CVE-2016-4974
+
+## Severity
+
+Moderate
+
+## Affected components
+
+AMQP 0-x JMS
+
+## Affected versions
+
+6.0.3 and earlier
+
+## Fixed versions
+
+6.0.4 and later
+
+## Description
+
+Deserialization of untrusted input while using JMS ObjectMessage.
+
+When applications call getObject() on a consumed JMS ObjectMessage
+they are subject to the behaviour of any object deserialization during
+the process of constructing the body to return. Unless the application
+has taken outside steps to limit the deserialization process, they
+can't protect against input that might try to make undesired use of
+classes available on the application classpath that might be
+vulnerable to exploitation. In order to exploit this vulnerability, an
+attacker would need to be able to inject a suitably crafted AMQP
+message containing the malicious JMS Object Message into the AMQP
+message network. For this, the attacker would require valid
+authentication credentials and suitable authorisation.
+
+## Mitigation
+
+Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4
+or or later, and use the new configuration options to whitelist trusted
+content permitted for deserialization. When so configured, attempts to
+deserialize input containing other content will be prevented.
+Alternatively, users of older client releases may utilise other means
+such as agent-based approaches to help govern content permitted for
+deserialization in their application.
+
+## Credit
+
+This issue was discovered by Matthias Kaiser of Code White
+(www.code-white.com).
+
+## References
+
+[QPID-7323](https://issues.apache.org/jira/browse/QPID-7323)
+
+
+
+
+
+
+
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0ddc412a/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 85eaa96..5966855 100644
--- a/input/security.md
+++ b/input/security.md
@@ -36,6 +36,7 @@ Qpid components are detailed at:
<section markdown="1">
- [JMS client]({{site_url}}/components/jms/security.html)
+ - [AMQP 0-x JMS client]({{site_url}}/components/jms/security-0-x.html)
- [Proton]({{site_url}}/proton/security.html)
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org