Add Proton CVE and remove security pages from components that have no CVEs as per Robbie's review comments
Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/686c59e5 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/686c59e5 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/686c59e5 Branch: refs/heads/asf-site Commit: 686c59e504d11380369bc4ad77d4958abe468242 Parents: d137278 Author: Lorenz Quack <[email protected]> Authored: Mon Jun 6 14:59:20 2016 +0100 Committer: Lorenz Quack <[email protected]> Committed: Mon Jun 6 14:59:20 2016 +0100 ---------------------------------------------------------------------- input/proton/security.md | 55 ++++++++++++++++++++++++++++++++++++++++++- input/security.md | 8 +++---- 2 files changed, 58 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/686c59e5/input/proton/security.md ---------------------------------------------------------------------- diff --git a/input/proton/security.md b/input/proton/security.md index 4f4179a..e18ffb6 100644 --- a/input/proton/security.md +++ b/input/proton/security.md @@ -23,6 +23,59 @@ ## Proton -TBD +<table> + <thead> + <tr> + <th>CVE-ID</th><th>Severity</th><th>Affected Versions</th><th>Fixed in Versions</th><th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>CVE-2016-2166</td> + <td>Moderate</td> + <td>0.9 through 0.12.0 (inclusive)</td> + <td>0.12.1 and later</td> + <td> + Python bindings silently ignore request for amqps if SSL/TLS not supported. <a id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details', controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>', showLess:'<small>show less</small>'});"><small>show more</small></a> + <div style="display:none;" id="CVE_2016_2166_details"> + <p>Versions Affected: Apache Qpid Proton python API starting + at 0.9 up to and including version 0.12.0.</p> + <p>Description: Messaging applications using the Proton + Python API to provision an SSL/TLS encrypted TCP connection + may actually instantiate a non-encrypted connection without + notice if SSL support is unavailable. This will result in + all messages being sent in the clear without the knowledge + of the user.<br/> This issue affects those applications + that use the Proton Reactor Python API to create SSL/TLS + connections. Specifically the proton.reactor.Connector, + proton.reactor.Container, and + proton.utils.BlockingConnection classes are vulnerable. + These classes can create an unencrypted connections if the + "amqps://" URL prefix is used.<br/> The issue only occurs + if the installed Proton libraries do not support SSL. This + would be the case if the libraries were built without SSL + support or the necessary SSL libraries are not present on + the system (e.g. OpenSSL in the case of *nix).<br/> To + check whether or not the Python API provides SSL support, + use the following console command:<br/>python -c "import + proton; print('%s' % 'SSL present' if proton.SSL.present() + else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can + only occur if both ends of the connection connect without + SSL. This would be the case if the vulnerability is active + on both ends of the connection, or the non-affected endpoint + allows cleartext connections.</p> + <p>Resolution: Proton release 0.12.1 resolves this issue by + raising an SSLUnavailable exception when SSL is not + available and a SSL/TLS connection is requested via the + "amqps://" URL + prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157";>patch</a> + is also available.</p> + <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157";>PROTON-1157</a></p> + <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p> + </div> + </td> + </tr> + </tbody> +</table> </section> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/686c59e5/input/security.md ---------------------------------------------------------------------- diff --git a/input/security.md b/input/security.md index 26038f4..c2fa8f4 100644 --- a/input/security.md +++ b/input/security.md @@ -31,15 +31,15 @@ Qpid are available for each Component separately: - [Java Broker]({{site_url}}/components/java-broker/security.html) - [C++ Broker]({{site_url}}/components/cpp-broker/security.html) - - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html) +;; - [Dispatch Router]({{site_url}}/components/dispatch-router/security.html) </section> <section markdown="1"> - [Proton]({{site_url}}/proton/security.html) - - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html) - - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html) - - [Messaging API]({{site_url}}/components/messaging-api/security.html) +;; - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security-1.0.html) +;; - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html) +;; - [Messaging API]({{site_url}}/components/messaging-api/security.html) </section> </div> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
