Repository: qpid-site Updated Branches: refs/heads/asf-site fa6be03d2 -> 79eb6b382
dedicated security pages Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/022695bd Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/022695bd Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/022695bd Branch: refs/heads/asf-site Commit: 022695bd286dbce3620dda829635e3cd3c8fbc3f Parents: fa6be03 Author: Lorenz Quack <[email protected]> Authored: Mon May 30 09:02:07 2016 +0100 Committer: Lorenz Quack <[email protected]> Committed: Wed Jun 1 11:23:53 2016 +0100 ---------------------------------------------------------------------- input/_transom_template.html | 3 +- input/components/cpp-broker/security.md | 28 ++++++++ input/components/dispatch-router/security.md | 28 ++++++++ input/components/java-broker/security.md | 34 ++++++++++ input/components/jms/security-0-x.md | 28 ++++++++ input/components/jms/security-1.0.md | 28 ++++++++ input/components/messaging-api/security.md | 28 ++++++++ input/index.html.in | 2 +- input/proton/security.md | 28 ++++++++ input/security.md | 81 +++++++++++++++++++++++ input/site.js | 11 +++ 11 files changed, 297 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/_transom_template.html ---------------------------------------------------------------------- diff --git a/input/_transom_template.html b/input/_transom_template.html index a232be7..71aa813 100644 --- a/input/_transom_template.html +++ b/input/_transom_template.html @@ -28,6 +28,7 @@ <link rel="stylesheet" href="{{site_url}}/deferred.css" type="text/css" defer="defer"/> <script type="text/javascript">var _deferredFunctions = [];</script> <script type="text/javascript" src="{{site_url}}/deferred.js" defer="defer"></script> + <script type="text/javascript" src="{{site_url}}/site.js" defer="defer"></script> <!--[if lte IE 8]> <link rel="stylesheet" href="{{site_url}}/ie.css" type="text/css"/> <script type="text/javascript" src="{{site_url}}/html5shiv.js"></script> @@ -123,7 +124,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <li><a href="http://www.apache.org/licenses/";>License</a></li> <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="http://www.apache.org/security/";>Security</a></li> + <li><a href="{{site_url}}/security.html">Security</a></li> <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> </ul> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/cpp-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/cpp-broker/security.md b/input/components/cpp-broker/security.md new file mode 100644 index 0000000..1ec9682 --- /dev/null +++ b/input/components/cpp-broker/security.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## C++ Broker + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/dispatch-router/security.md ---------------------------------------------------------------------- diff --git a/input/components/dispatch-router/security.md b/input/components/dispatch-router/security.md new file mode 100644 index 0000000..3043c11 --- /dev/null +++ b/input/components/dispatch-router/security.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## Dispatch Router + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/java-broker/security.md ---------------------------------------------------------------------- diff --git a/input/components/java-broker/security.md b/input/components/java-broker/security.md new file mode 100644 index 0000000..f09e819 --- /dev/null +++ b/input/components/java-broker/security.md @@ -0,0 +1,34 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## Java Broker + +### CVEs + +| CVE-ID | Severity | Fixed in Version | Description | +| ------------- |:---------:|:-----------------|:------------| +| CVE-2016-3094 | Important | 6.0.3 | Denial of Service. <a id="CVE_2016_3094_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_3094_details', controlId:'CVE_2016_3094_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_3094_details"><p>Versions Affected: Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2</p><p>Description: A malformed authentication attempt may cause the broker to terminate. The Qpid Java Broker supports a number of configurable authentication providers each supporting various SASL mechanisms. Some mechanisms need (or can be configured to accept) plain-text passwords being sent to the Broker (using the SASL "PLAIN" mechanism). Where the broker has been configured to allow plain-text passwords for authentication it is possible for a client to send a malformed authentication attempt which will lead the broker to terminate due to an unca ught Exception.<br/>Brokers configured to use authentication from the "PlainPasswordFile", "SimpleLDAP", or "Base64MD5PasswordFile" providers are vulnerable if the "PLAIN" mechanism is enabled (by default "PLAIN" will be disabled on non-TLS ports, but enabled on TLS connections).</p>Mitigation: Users should upgrade their Qpid Java Broker to version 6.0.3 or later. If this is not possible, users can disable the PLAIN mechanism for their authentication manager on versions 0.32 and later by adding "PLAIN" to the list of disabledMechanisms on their authentication provider object.<br/>Note that the SimpleLDAP authentication provider requires PLAIN and so this work around does not apply there.</p><p>Credit: This issue was discovered by Alex Szczuczko of Red Hat, Inc.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7271";>https://issues.apache.org/jira/browse/QPID-7271</a></p></div> | +| CVE-2016-4432 | Important | 6.0.3 | Authentication Bypass. <a id="CVE_2016_4432_details_toggle" href="javascript:toggleDiv({divId:'CVE_2016_4432_details', controlId:'CVE_2016_4432_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a><div style="display:none;" id="CVE_2016_4432_details"><p>Versions Affected: Qpid Java Broker versions 6.0.2 and earlier</p><p>Description: The code responsible for handling incoming AMQP 0-8, 0-9, 0-91, and 0-10 connections contains a flaw that allows authentication to be bypassed. An remote attacker can exploit this vulnerability to perform actions, without the need to specify valid credentials. For instance, unauthorised messages could be injected or messages stolen.<br/>The vulnerability cannot be exploited if the Access Control List (ACL) feature is enabled AND access to all virtual hosts controlled.<br/>The vulnerability does not apply to the Broker's AMQP 1.0 support.<br/>The vulnerability does not apply if the Broker is configured to require SSL client authentication for all messaging connections.</p><p>Resolution: Users should upgrade the Qpid Java Broker to version 6.0.3 or later (recommended).</p><p>Mitigation: If upgrading is not possible, the vulnerability can be mitigated using an ACL file containing "ACCESS VIRTUALHOST" clauses that white-lists user access to all virtualhosts.<br/>If AMQP 0-8, 0-9, 0-91, and 0-10 support is not required, the vulnerability can also be mitigated by turning off these protocols at the Port level.</p><p>References: <a href="https://issues.apache.org/jira/browse/QPID-7257";>https://issues.apache.org/jira/browse/QPID-7257</a></p></div> | + + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/jms/security-0-x.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md new file mode 100644 index 0000000..ab9a94f --- /dev/null +++ b/input/components/jms/security-0-x.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## JMS Client (AMQP 0-8, 0-9, 0-9-1, 0-10) + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/jms/security-1.0.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security-1.0.md b/input/components/jms/security-1.0.md new file mode 100644 index 0000000..12e8c74 --- /dev/null +++ b/input/components/jms/security-1.0.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## JMS Client (AMQP 1.0) + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/components/messaging-api/security.md ---------------------------------------------------------------------- diff --git a/input/components/messaging-api/security.md b/input/components/messaging-api/security.md new file mode 100644 index 0000000..e36ad46 --- /dev/null +++ b/input/components/messaging-api/security.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## Messaging API + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/index.html.in ---------------------------------------------------------------------- diff --git a/input/index.html.in b/input/index.html.in index c9d6578..33f3cc5 100644 --- a/input/index.html.in +++ b/input/index.html.in @@ -57,7 +57,6 @@ <li><a href="http://www.apache.org/licenses/";>License</a></li> <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="http://www.apache.org/security/";>Security</a></li> </ul> </section> @@ -70,6 +69,7 @@ <li><a href="{{site_url}}/discussion.html">Discussion</a></li> <li><a href="{{site_url}}/components/index.html">Components</a></li> <li><a href="{{site_url}}/releases/index.html">Releases</a></li> + <li><a href="{{site_url}}/security.html">Security</a></li> <li><a href="{{site_url}}/resources.html">More resources</a></li> </ul> </section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/proton/security.md ---------------------------------------------------------------------- diff --git a/input/proton/security.md b/input/proton/security.md new file mode 100644 index 0000000..4f4179a --- /dev/null +++ b/input/proton/security.md @@ -0,0 +1,28 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## Proton + +TBD + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/security.md ---------------------------------------------------------------------- diff --git a/input/security.md b/input/security.md new file mode 100644 index 0000000..26038f4 --- /dev/null +++ b/input/security.md @@ -0,0 +1,81 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security + +<section markdown="1"> + +## Security Updates + +Lists of security problems fixed in released versions of the Apache +Qpid are available for each Component separately: + +<div class="flex" markdown="1"> +<section markdown="1"> + + - [Java Broker]({{site_url}}/components/java-broker/security.html) + - [C++ Broker]({{site_url}}/components/cpp-broker/security.html) + - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html) + +</section> +<section markdown="1"> + + - [Proton]({{site_url}}/proton/security.html) + - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html) + - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html) + - [Messaging API]({{site_url}}/components/messaging-api/security.html) + +</section> +</div> + +</section> +<section markdown="1"> + +## Reporting New Security Problems with Apache Qpid + +We take a very active stance in eliminating security problems and +denial of service attacks against Apache Qpid. + +We strongly encourage folks to report such problems to the private +security mailing list of the ASF Security Team, before disclosing them +in a public forum. + +Please see the page of the [ASF Security +Team](https://www.apache.org/security/) for further information and +contact information. + +The ASF Security Team cannot accept regular bug reports or other +queries, we ask that you use our [bug reporting +page]({{site_url}}/issues.html) for those. + +All mail sent to the ASF Security Team that does not relate to +security problems in Apache software will be ignored. + +Questions about: + + - how to configure Qpid securely + - if a vulnerability applies to your particular application + - obtaining further information on a published vulnerability + - availability of patches and/or new releases + +should be addressed to the users mailing list. Please see the [mailing +lists page]({{site_url}}/discussion.html) for details of how to +subscribe. + +</section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/022695bd/input/site.js ---------------------------------------------------------------------- diff --git a/input/site.js b/input/site.js index e69de29..c4417ff 100644 --- a/input/site.js +++ b/input/site.js @@ -0,0 +1,11 @@ +function toggleDiv(toggleInfo) { + var div=document.getElementById(toggleInfo.divId); + var control=document.getElementById(toggleInfo.controlId); + if (div.style.display !== 'none') { + div.style.display = 'none'; + control.innerHTML = toggleInfo.showMore; + } else { + div.style.display = 'block'; + control.innerHTML = toggleInfo.showLess; + } +} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
