You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2017/11/30 17:36:24 UTC
qpid-site git commit: NO-JIRA: Update site pages related to
CVE-2017-15701 and CVE-2017-15702
Repository: qpid-site
Updated Branches:
refs/heads/asf-site 6bfb1bf48 -> 5d4cf889a
NO-JIRA: Update site pages related to CVE-2017-15701 and CVE-2017-15702
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/5d4cf889
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/5d4cf889
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/5d4cf889
Branch: refs/heads/asf-site
Commit: 5d4cf889afcc479c4b23a74bdd3763d2dcecf726
Parents: 6bfb1bf
Author: Alex Rudyy <or...@apache.org>
Authored: Thu Nov 30 17:36:01 2017 +0000
Committer: Alex Rudyy <or...@apache.org>
Committed: Thu Nov 30 17:36:01 2017 +0000
----------------------------------------------------------------------
content/components/broker-j/security.html | 14 ++
content/cves/CVE-2017-15701.html | 186 ++++++++++++++++++
content/cves/CVE-2017-15702.html | 193 +++++++++++++++++++
.../releases/qpid-java-6.1.5/release-notes.html | 2 +
input/releases/qpid-java-6.1.5/release-notes.md | 4 +-
5 files changed, 398 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5d4cf889/content/components/broker-j/security.html
----------------------------------------------------------------------
diff --git a/content/components/broker-j/security.html b/content/components/broker-j/security.html
index e0c8636..358c957 100644
--- a/content/components/broker-j/security.html
+++ b/content/components/broker-j/security.html
@@ -148,6 +148,20 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
<td>6.0.6, 6.1.1</td>
<td>Information leakage</td>
</tr>
+<tr>
+ <td><a href="/cves/CVE-2017-15701.html">CVE-2017-15701</a></td>
+ <td>Important</td>
+ <td>6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4</td>
+ <td>6.1.5</td>
+ <td>Denial of Service</td>
+</tr>
+<tr>
+ <td><a href="/cves/CVE-2017-15702.html">CVE-2017-15702</a></td>
+ <td>Important</td>
+ <td>0.18, 0.20, 0.22, 0.24, 0.26, 0.28, 0.30, and 0.32</td>
+ <td>6.0.0</td>
+ <td>Authentication vulnerability</td>
+</tr>
</tbody>
</table>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5d4cf889/content/cves/CVE-2017-15701.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2017-15701.html b/content/cves/CVE-2017-15701.html
new file mode 100644
index 0000000..e9f8b50
--- /dev/null
+++ b/content/cves/CVE-2017-15701.html
@@ -0,0 +1,186 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2017-15701 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2017-15701</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2017-15701">CVE-2017-15701</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-java-6.1.5/index.html">6.1.5</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>The broker does not properly enforce a maximum frame size in AMQP 1.0
+frames. A remote unauthenticated attacker could exploit this to cause
+the broker to exhaust all available memory and eventually terminate.
+Older AMQP protocols are not affected.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Users who have AMQP 1.0 support enabled (default) should upgrade their
+Qpid Broker-J to version 6.1.5 or later (recommended).</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrading the broker is not possible, users can choose to disable
+AMQP 1.0 by either setting the system property
+"qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true",
+excluding "AMQP_1_0" from the supported protocol list on all AMQP
+ports, or by removing the AMQP 1.0 related jar files from the Java
+classpath.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-7947">QPID-7947</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5d4cf889/content/cves/CVE-2017-15702.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2017-15702.html b/content/cves/CVE-2017-15702.html
new file mode 100644
index 0000000..6db37c4
--- /dev/null
+++ b/content/cves/CVE-2017-15702.html
@@ -0,0 +1,193 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>CVE-2017-15702 - Apache Qpid™</title>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+ <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+ <script type="text/javascript">var _deferredFunctions = [];</script>
+ <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+ <!--[if lte IE 8]>
+ <link rel="stylesheet" href="/ie.css" type="text/css"/>
+ <script type="text/javascript" src="/html5shiv.js"></script>
+ <![endif]-->
+
+ <!-- Redirects for `go get` and godoc.org -->
+ <meta name="go-import"
+ content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+ <meta name="go-source"
+ content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+ </head>
+ <body>
+ <div id="-content">
+ <div id="-top" class="panel">
+ <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+ <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+ <ul id="-global-navigation">
+ <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
+ <li><a href="/documentation.html">Documentation</a></li>
+ <li><a href="/download.html">Download</a></li>
+ <li><a href="/discussion.html">Discussion</a></li>
+ </ul>
+ </div>
+
+ <div id="-menu" class="panel" style="display: none;">
+ <div class="flex">
+ <section>
+ <h3>Project</h3>
+
+ <ul>
+ <li><a href="/overview.html">Overview</a></li>
+ <li><a href="/components/index.html">Components</a></li>
+ <li><a href="/releases/index.html">Releases</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Messaging APIs</h3>
+
+ <ul>
+ <li><a href="/proton/index.html">Qpid Proton</a></li>
+ <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+ <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Servers and tools</h3>
+
+ <ul>
+ <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+ <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+ <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+ </ul>
+ </section>
+
+ <section>
+ <h3>Resources</h3>
+
+ <ul>
+ <li><a href="/dashboard.html">Dashboard</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+ <li><a href="/resources.html">More resources</a></li>
+ </ul>
+ </section>
+ </div>
+ </div>
+
+ <div id="-search" class="panel" style="display: none;">
+ <form action="http://www.google.com/search" method="get">
+ <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+ <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+ <button type="submit">Search</button>
+ <a href="/search.html">More ways to search</a>
+ </form>
+ </div>
+
+ <div id="-middle" class="panel">
+ <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2017-15702</li></ul>
+
+ <div id="-middle-content">
+ <h1 id="cve-2017-15702">CVE-2017-15702</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Broker-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.18 through 0.32</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p><a href="/releases/qpid-java-6.0.0/index.html">6.0.0</a></p>
+
+<h2 id="description">Description</h2>
+
+<p>If the broker is configured with different authentication providers on
+different ports one of which is an HTTP port, then the broker can be
+tricked by a remote unauthenticated attacker connecting to the HTTP
+port into using an authentication provider that was configured on a
+different port. The attacker still needs valid credentials with the
+authentication provider on the spoofed port. This becomes an issue
+when the spoofed port has weaker authentication protection (e.g.,
+anonymous access, default accounts) and is normally protected by
+firewall rules or similar which can be circumvented by this
+vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer
+are not affected.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Users of affected versions who have more than one port and different
+authentication providers configured on them should upgrade to a
+later unaffected version (recommended).</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrading the broker is not possible then users should ensure all
+their authentication providers offer an equal amount of protection.
+In particular, authentication providers with default accounts and
+those with anonymous access should be removed if other providers in
+use require credentials.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/QPID-8039">QPID-8039</a></p>
+
+
+ <hr/>
+
+ <ul id="-apache-navigation">
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+ <li><a href="/security.html">Security</a></li>
+ <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
+ </ul>
+
+ <p id="-legal">
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+ License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ </p>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5d4cf889/content/releases/qpid-java-6.1.5/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-java-6.1.5/release-notes.html b/content/releases/qpid-java-6.1.5/release-notes.html
index 12c46ac..9559687 100644
--- a/content/releases/qpid-java-6.1.5/release-notes.html
+++ b/content/releases/qpid-java-6.1.5/release-notes.html
@@ -120,6 +120,8 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
broker written in Java that stores, routes, and forwards messages
using AMQP.</p>
+<p><strong>Note</strong>: This release addresses security vulnerability <a href="/components/broker-j/security.html">CVE-2017-15701</a>.</p>
+
<p>For more information about this release, including download links and
documentation, see the <a href="index.html">release overview</a>.</p>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/5d4cf889/input/releases/qpid-java-6.1.5/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-java-6.1.5/release-notes.md b/input/releases/qpid-java-6.1.5/release-notes.md
index b477139..3ef31bb 100644
--- a/input/releases/qpid-java-6.1.5/release-notes.md
+++ b/input/releases/qpid-java-6.1.5/release-notes.md
@@ -23,6 +23,8 @@ Qpid for Java offers an AMQP-fluent implementation of JMS and a message
broker written in Java that stores, routes, and forwards messages
using AMQP.
+**Note**: This release addresses security vulnerability [CVE-2017-15701]({{site_url}}/components/broker-j/security.html).
+
For more information about this release, including download links and
documentation, see the [release overview](index.html).
@@ -37,4 +39,4 @@ documentation, see the [release overview](index.html).
- [QPID-7836](https://issues.apache.org/jira/browse/QPID-7836) - NPE logged at WARN during management view of messages whilst consumer active
- [QPID-7853](https://issues.apache.org/jira/browse/QPID-7853) - Message enqueued twice to the same queue leads to Broker failure
- [QPID-7947](https://issues.apache.org/jira/browse/QPID-7947) - [Java Broker] [AMQP 1.0] Improve handling of empty and overlarge frames
- - [QPID-7973](https://issues.apache.org/jira/browse/QPID-7973) - Table Name Prefix is set to NULL if no prefix is provided instead of empty String
\ No newline at end of file
+ - [QPID-7973](https://issues.apache.org/jira/browse/QPID-7973) - Table Name Prefix is set to NULL if no prefix is provided instead of empty String
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org