Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2039 qpid-proton security update 7 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qpid-proton Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 8 Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-0223 Reference: ESB-2019.1410 ESB-2019.1407 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1400 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: qpid-proton security update Advisory ID: RHSA-2019:1398-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1398 Issue date: 2019-06-06 CVE Names: CVE-2019-0223 ===================================================================== 1. Summary: An update for qpid-proton is now available for Red Hat OpenStack Platform 14 (Rocky). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7 - x86_64 3. Description: The AMQ Client enables connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 7. Security Fix(es): * qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1702439 - CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability 6. Package List: Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7: Source: qpid-proton-0.27.0-3.el7.src.rpm x86_64: qpid-proton-c-0.27.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.27.0-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-0223 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXPk249zjgjWX9erEAQj6Nw//Ve+wbVB6/SXQ3kZ95Flpj3QVxXfJ4Ude haXlFZBV52R8jsCj4BQ/8Wb1Ndqzlp7uvczQHp06kmQGay4ZM8JQFfqtY0/27RGW bhaSPVuWPrstUnrhKB2GbmGIE6P1o6YWesgTUmo3rwvdHG8nnXL/KbO9Gs4sgIRj CWhO7vhR6tkEKMsA8g5oSqbVFYdKy0FZ7K5MHA7XB3E3Phh4bZxcak7tRwmhldzz 7nY73JQ/gnW8jgs7AVZzUuD7gtKV3vKgwq8wFt3h9Wu8zfThf48ex+/c1v5YITiS hRC0bzubzTrspItBRnQBNB8YzWevhofxVCktLMapqqvyRm4Oy0/n1GYi0nJ/Ccxm XibWYrubPexdrwm4LxX3oxb7ztRi98GsmCZ5Ypp2fIj5oosjJ1s0NpG0g7OICppN pTBMpejBCdiuDvrNKlIUUZRoz2H6OjeQ9mMN4MhYtRGY4CMAC8LyzO21DJ13r5B5 /7L4GJ6G/KwfkB3R4RC8I9+AX98jEOr2kTk3ALKVKtdZsvrImXTR7j0u79MKjcuD C8cPZGti9vKFcWzS6uPFsf8YnTyvnuC6YdrtvQNi5BkFFPm6pzR2eojwanr9O51Q L72WYH6rUqeYV29AFs6HFwcy88tWDA2XrkUqOdk3xuNBo+yBflrSg+Bi0iHUSP9m jtrIRhIQzb4= =aHhF - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: qpid-proton security update Advisory ID: RHSA-2019:1399-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1399 Issue date: 2019-06-06 CVE Names: CVE-2019-0223 ===================================================================== 1. Summary: An update for qpid-proton is now available for Red Hat OpenStack Platform 14 (Rocky). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 14.0 - ppc64le, x86_64 3. Description: The AMQ Client enables connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 7. Security Fix(es): * qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1702439 - CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability 1707869 - AMQ Interconnect edge mode doesn't work with anonymous channels; rebuild container after resolved to 1.4 version [openstack-14] 6. Package List: Red Hat OpenStack Platform 14.0: Source: qpid-proton-0.27.0-3.el7.src.rpm ppc64le: python-qpid-proton-0.27.0-3.el7.ppc64le.rpm qpid-proton-c-0.27.0-3.el7.ppc64le.rpm qpid-proton-debuginfo-0.27.0-3.el7.ppc64le.rpm x86_64: python-qpid-proton-0.27.0-3.el7.x86_64.rpm qpid-proton-c-0.27.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.27.0-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-0223 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXPk309zjgjWX9erEAQj5Bw/8C3y7ISK6ogoAfOBPgqdIpsaW2QpO67VI /gjyXUNzVFNKGeHUWwW+iOe+pLJeYIE6/1V/kSnj7fr1xK1C1I9DkGwRC6uHEXI/ F1LN943OtGiFZfSxkVUj6hChroobcbW44Mq9vj+l48LLjVpW14TDKsjHhU2MLibQ 3VY7jmJX6NoAvAIQBbFbLpYSyQ6xEJyj6o9PpepMAoJy4ijL1EpQ3EzYaCgbrZGv EDqeLlFDgQWZj26zmC6gsIcBWWF56uCN1p9VG2mGxbe7qf/Hcu7jsYf7XSpRhHUk jkYEyIWhlHIUTbCqyu/nUrRI6p+4Kx/ub0iQ0r5DQ5pI+vJqSyZIdqN6HT+/PpGw DwIF69x8QQV8UKO4ZjGPJtZ3EcvyJM0ek3/KE6ZmP+TUYXvSSq80PuGWlF7DvWHp YL5g3HXirUPI96tMjqqCdBwECOEZ1Ed50oQqk7yG2oN7GJEKPnI4EFwhtryU1u9r OtM5iwTPdRYMyOXedGB+/0Xp+PujresGpoPZJHWAgdnZNVbPs2aRzEEFQeQi4zRI HdwLoAlvDxGSDqqighnKCRZ9cnixufmErEdO86FCuzzvRAfJtBog5dRypyL5pVSg mUALLzu/rlydYCVAM1mNE0MH3CWLAzbyn5r/EDWavA6YgTjznC5+dx0W6qR8Of6X wRRHb3jlrkw= =ss0i - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: qpid-proton security update Advisory ID: RHSA-2019:1400-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1400 Issue date: 2019-06-06 CVE Names: CVE-2019-0223 ===================================================================== 1. Summary: An update for qpid-proton is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - ppc64le, x86_64 3. Description: The AMQ Client enables connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol. Security Fix(es): * qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 7. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1702439 - CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability 1704978 - AMQ Interconnect edge mode doesn't work with anonymous channels; rebuild container after resolved to 1.4 version [openstack-13] 1717133 - add jsoncpp for dep of qpid-proton for fixing CVE-2019-0223 6. Package List: Red Hat OpenStack Platform 13.0: Source: jsoncpp-1.7.7-1.el7.src.rpm qpid-proton-0.27.0-3.el7.src.rpm ppc64le: jsoncpp-1.7.7-1.el7.ppc64le.rpm jsoncpp-debuginfo-1.7.7-1.el7.ppc64le.rpm python-qpid-proton-0.27.0-3.el7.ppc64le.rpm qpid-proton-c-0.27.0-3.el7.ppc64le.rpm qpid-proton-cpp-0.27.0-3.el7.ppc64le.rpm qpid-proton-debuginfo-0.27.0-3.el7.ppc64le.rpm x86_64: jsoncpp-1.7.7-1.el7.x86_64.rpm jsoncpp-debuginfo-1.7.7-1.el7.x86_64.rpm python-qpid-proton-0.27.0-3.el7.x86_64.rpm qpid-proton-c-0.27.0-3.el7.x86_64.rpm qpid-proton-cpp-0.27.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.27.0-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-0223 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXPk3l9zjgjWX9erEAQisGw/9HrWTr6H1mCSe3e3ZAUNwCqghiJ752W4Q OTp2xwQ5APHTjpQQqOkJyV6P413wtWc3NCYon4ATgN2r7+uBk93Lsu4QOpiGytCv z4M1iZ1AyefQIps50UAozS/moBwf28700HaCoJe6TLstBHZ0zRpSxlu/WMr0FItq z4jfL5RqcJY23T5eBeM4u0J4XURthRq4ZBMhEci5q/97VUuvwFpUhcQ7Jks7t04b EUYezxPr2H+YaWRMHhiiiDhvbynppIGmWbJ/qZXD7N7dqUKxqhdxz15Q+hOUNd6b beoX3QRSbp8ckZCVvYl9yl8mTOoJxg6TG0It+AkuFuSHxlsRTyFZZ4lhmQG0Fxfa TtKhv5KRfGUE8ifE1S6WoqgjCNQmzedxjaAXF+W5CDLzQW4l35Tt8HVT9ZwHCVGp Sgpyr7o3rGZ7d44vk+DE+2kIxtCECezGFy5ZYJCPSLMmYUa5RiySRmXrufohulcP SoDWXTlT32EHams7UJw8hVNdCu4ad3tqdP7408koeMMbxgEsD3hE2GlQIVETmu5s Nm/K8+FJlHPpuKCM9fzIKQoRKxKG0JkK0vZ3H8UAUv3Xj0KKX/QK7YPPRxDEfl7J YakccH6AM4CxNz00LWKayiLuetaw6LjPHm7bD/ovCKYZLR5VZGIr6UHgS7hLWyAY MTiAnsfNvog= =PwoV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPm9DGaOgq3Tt24GAQh1HxAAwDs5MUyQjXHzzvHYRMxUnAMxUnjLEdNg DHBIhXAlPaX1TBLW427Iio9k2WUjCi+ec7ZgFUm7y0PYEW6HVHpv+wu2vZYaCEa3 y20y+D0FJGi3TG/fara2negxUkzlqWDNZRwi7nt+WMHAvR+997TKUhOhDBsHHaAm Scdo6mEUwCPLjS9ZyoA2DphnB/Okyb42HCXsVVfrtcGP/oZkEoLqSmLCY+xI3Zbp YUJ4IYDIME1w6bI2shpc6BkDt/dgRAi/REaLH7PtU3smOD7X9BBvglj1R6+LbYEo ldcPvP1jQGofLTOKw1llnA9w4CqT1d+nYJ070f7wbpujckPLuU4RQPUL7ADvXlgk lCy5NymndHgrJMs2yp/x1aPBDx/dSOSZazdlx3SFDLnHKxq22IQ96pz4Oo23aoE1 Jcaskg20tU4/S6iC7JcCFCsoFozGNEZrHfC6v1MzTHI1D9elOkyxQLkds9+G4SK+ a3cmnUpHsqRNM+Ia0P4GECb8HS4W2/Fbvcwvc4CbbaO3aoYOOe+mqJ43Icel0RUk 2WyPFOVTZrEdedoqVbBd/D3O3FQN0ILf4zIT5A2kCALVsb14+dROd4uaI4+rDpvV rOZoWoRSCAjbDdlrqwXz3vcoqsuA3zZkTgEkIciQQ5+R84y4qN+TL32/oxX3Wil9 sSD9YrdDEvI= =Ezv9 -----END PGP SIGNATURE-----