Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0691 AMQ Clients 2.6.0 Release 26 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AMQ Clients Publisher: Red Hat Operating System: Red Hat Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-7238 CVE-2019-20445 CVE-2019-20444 Reference: ESB-2020.0681 ESB-2020.0583 ESB-2020.0582 ESB-2020.0504 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:0601 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: AMQ Clients 2.6.0 Release Advisory ID: RHSA-2020:0601-01 Product: Red Hat AMQ Clients Advisory URL: https://access.redhat.com/errata/RHSA-2020:0601 Issue date: 2020-02-25 CVE Names: CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 ===================================================================== 1. Summary: An update is now available for Red Hat AMQ Clients 2.6.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 6Client-AMQ-Clients-2 - i386, noarch, x86_64 6ComputeNode-AMQ-Clients-2 - noarch, x86_64 6Server-AMQ-Clients-2 - i386, noarch, x86_64 6Workstation-AMQ-Clients-2 - i386, noarch, x86_64 7Client-AMQ-Clients-2 - noarch, x86_64 7ComputeNode-AMQ-Clients-2 - noarch, x86_64 7Server-AMQ-Clients-2 - noarch, x86_64 7Workstation-AMQ-Clients-2 - noarch, x86_64 8Base-AMQ-Clients-2 - noarch, x86_64 3. Description: Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 6, 7, and 8. Security Fix(es): * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 6. JIRA issues fixed (https://issues.jboss.org/): ENTMQCL-1075 - [python] Example broker.py is using collections.deque.count from Python 2.7 ENTMQCL-1076 - [python] Example abstract_server.py is using relative import ENTMQCL-1246 - [python] Install egg-info directory ENTMQCL-1287 - [python] Read a config file to get default connection parameters (Windows) ENTMQCL-1322 - amqpnetlite-sdk-2.1.6 does not export resource strings ENTMQCL-1361 - [python] Convert strings in the API to AMQP symbols where required ENTMQCL-1364 - [python] P2P detach frame not received results in connection aborted ENTMQCL-1578 - [python] qpid-proton-0.28.0-1.el7 leaks memory ENTMQCL-1583 - [doc] Broken links in rh-messaging/amq-docs master ENTMQCL-1635 - [javascript] File-based connection configuration can't use named ports ENTMQCL-1641 - [dotnet] Update AMQ .NET Client based on amqpnetlite 2.2 ENTMQCL-1679 - [python] HOME location of file-based connection configuration does not point to HOME location ENTMQCL-1717 - [python] Default port should be amqps ENTMQCL-1726 - [jms] Improve performance when using simulated anonymous producers ENTMQCL-1781 - Established connections are aborted after the system clock is shifted forward ENTMQCL-1818 - [javascript] npm install fails due to missing configuration file for ESLint ENTMQCL-1835 - [jms] client-ack consumers don't increment remote delivery count on closure after fresh recover 7. Package List: 6Client-AMQ-Clients-2: Source: qpid-proton-0.30.0-4.el6_10.src.rpm i386: python-qpid-proton-0.30.0-4.el6_10.i686.rpm qpid-proton-c-0.30.0-4.el6_10.i686.rpm qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm x86_64: python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm 6ComputeNode-AMQ-Clients-2: Source: qpid-proton-0.30.0-4.el6_10.src.rpm noarch: python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm x86_64: python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm 6Server-AMQ-Clients-2: Source: qpid-proton-0.30.0-4.el6_10.src.rpm i386: python-qpid-proton-0.30.0-4.el6_10.i686.rpm qpid-proton-c-0.30.0-4.el6_10.i686.rpm qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm x86_64: python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm 6Workstation-AMQ-Clients-2: Source: qpid-proton-0.30.0-4.el6_10.src.rpm i386: python-qpid-proton-0.30.0-4.el6_10.i686.rpm qpid-proton-c-0.30.0-4.el6_10.i686.rpm qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm x86_64: python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm 7Client-AMQ-Clients-2: Source: qpid-proton-0.30.0-2.el7.src.rpm rubygem-qpid_proton-0.30.0-1.el7.src.rpm noarch: python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm qpid-proton-tests-0.30.0-2.el7.noarch.rpm rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm x86_64: python-qpid-proton-0.30.0-2.el7.x86_64.rpm qpid-proton-c-0.30.0-2.el7.x86_64.rpm qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm 7ComputeNode-AMQ-Clients-2: Source: qpid-proton-0.30.0-2.el7.src.rpm rubygem-qpid_proton-0.30.0-1.el7.src.rpm noarch: python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm qpid-proton-tests-0.30.0-2.el7.noarch.rpm rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm x86_64: python-qpid-proton-0.30.0-2.el7.x86_64.rpm qpid-proton-c-0.30.0-2.el7.x86_64.rpm qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm 7Server-AMQ-Clients-2: Source: qpid-proton-0.30.0-2.el7.src.rpm rubygem-qpid_proton-0.30.0-1.el7.src.rpm noarch: python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm qpid-proton-tests-0.30.0-2.el7.noarch.rpm rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm x86_64: python-qpid-proton-0.30.0-2.el7.x86_64.rpm qpid-proton-c-0.30.0-2.el7.x86_64.rpm qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm 7Workstation-AMQ-Clients-2: Source: qpid-proton-0.30.0-2.el7.src.rpm rubygem-qpid_proton-0.30.0-1.el7.src.rpm noarch: python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm qpid-proton-tests-0.30.0-2.el7.noarch.rpm rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm x86_64: python-qpid-proton-0.30.0-2.el7.x86_64.rpm qpid-proton-c-0.30.0-2.el7.x86_64.rpm qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm 8Base-AMQ-Clients-2: Source: nodejs-rhea-1.0.16-1.el8.src.rpm qpid-proton-0.30.0-3.el8.src.rpm rubygem-qpid_proton-0.30.0-1.el8.src.rpm noarch: nodejs-rhea-1.0.16-1.el8.noarch.rpm python-qpid-proton-docs-0.30.0-3.el8.noarch.rpm qpid-proton-c-docs-0.30.0-3.el8.noarch.rpm qpid-proton-cpp-docs-0.30.0-3.el8.noarch.rpm qpid-proton-tests-0.30.0-3.el8.noarch.rpm rubygem-qpid_proton-doc-0.30.0-1.el8.noarch.rpm x86_64: python3-qpid-proton-0.30.0-3.el8.x86_64.rpm python3-qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm qpid-proton-c-0.30.0-3.el8.x86_64.rpm qpid-proton-c-debuginfo-0.30.0-3.el8.x86_64.rpm qpid-proton-c-devel-0.30.0-3.el8.x86_64.rpm qpid-proton-cpp-0.30.0-3.el8.x86_64.rpm qpid-proton-cpp-debuginfo-0.30.0-3.el8.x86_64.rpm qpid-proton-cpp-devel-0.30.0-3.el8.x86_64.rpm qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm qpid-proton-debugsource-0.30.0-3.el8.x86_64.rpm rubygem-qpid_proton-0.30.0-1.el8.x86_64.rpm rubygem-qpid_proton-debuginfo-0.30.0-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_amq/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXlU9u9zjgjWX9erEAQjJRg/9EWdSUKhNIQBO7WFXvi/PO/2ebxBePbDH l0mUNYaOeKyLJvSDLdE8OY25r1zdG6ZgrZLsiPUV31MLlyqXIUXPpFaylv74yZDy /oP8HnhaHQ29/RhooT5QLxqyCF7f4Bh+1C8VrrwSVKVvlt0Nwz3pC2uZudD6qv8r juZ8qNjWaQrD5RjWNKljRIzP/VWTU+9GTpACHmK5aTzcN+IgwSP+xJ9oIxnCvjNZ OhEPTnbYwVA645klWUpFKlj/eFIPSVl3/LTY3F5U1RPlU8qAGIBqPS6gUJSvFg5i HPOSa0yhFYD7jnPOR4SC24+/eLJaroP+GmnujWGSR10wnE4UZzoFtaw1OJblMdPt 8Ucs5Y0h7KBZwirSLVKEn8hW92cb3IjnCWde4aZjg46fbXrpeGi0tCtE+gh3shUC 3EBEtgU3/I3FoakQty7ePe6YHfFN3+u8Z3TsIQ9GJUCtZj/eeQyqGKLFgAncA6O6 cfZTDMzDU36snL11T8hAcVi2AKoJTxkbqzKy/A28xT11FYrGAGkATsb7mH16CRb9 zFmcsOEdNYBnh7r6QIeJmo0dyFLvAHUfjTabYqimPqABqhvjPeWc2OH5wXuyxV7l nHSLM62VhwLcRF5AAvxaNL+QE1B0GUH69Bhqn++0iTVoop0vluvE0DS5T4Gu0AYQ ZlNPuesCwnc= =ypok - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXlYN+GaOgq3Tt24GAQj71BAAs1g1F0dnaTiSoHq64yAVJD5wa1NTpztF QczDKEw/e4IJ8q3SNq6XEKrFQgKPXGuchHHF9Bkv5sYLbHIFBDg5ilr/luoU46I2 KviDWQqYYPDrwWf753BcSTvI+Pu7Yx66h7FCd59SKLcGWyekmvkH+1oxm3f2sD4o X8zASPHyh3QjabX1cHjmH22pgkuzG/S4UrON7im/HY6nxEWt9jDbAqqDB7o9Qx4h GmRRKhlZAhWsyLo6D2pPyOrgID8XJk3FZap9WMjozi8iX4pOjRsDFMdUmUd8ACgB +zmVWkN1WUh1+4Vp8geEGHqmGl3exb8M9ULo465XQ97CZuNochFKXg02rROJ0atv xZtb6XuADHzGWZ+RyZKoqq4BxLewLnluV9hzVFBO643BrzBA7jlJ8++vliZWE8Xl 2aHk1dE/rZPpQCSPdoKBTz3bRv+AWmVxvLF19aenhGhWSjjqcoxb3aAvuuOZ+4e5 fMD+O73L2Vx3wsCU/QIqVjFhioNvYERREJaexBIy2p3nvuVXM9cB7DpsQ3EMwYyl 20B7o06b4C6vkgxJCf9CTOqnqB+1WsbQmP1YnqywjVsUUk+eVEkZQfmb8ZMiOyB9 pNMyVY7dDgtLE9cySpuTnmceYMg4KRIxNIptFqoZZ9RTxHfUSuzq1mO/yISACqvI 2EklDNyN5SA= =HzQe -----END PGP SIGNATURE-----