Updated qpid-cpp packages that fix multiple security issues and one bug arenow available for Red Hat Enterprise MRG Messaging 2.5 for Red HatEnterprise Linux 6.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generationIT infrastructure for enterprise computing. MRG offers increasedperformance, reliability, interoperability, and faster computing forenterprise customers.The Qpid packages provide a message broker daemon that receives, stores androutes messages using the open AMQP messaging protocol along with run-timelibraries for AMQP client applications developed using Qpid C++. Clientsexchange messages with an AMQP message broker using the AMQP protocol.It was discovered that the Qpid daemon (qpidd) did not restrict access toanonymous users when the ANONYMOUS mechanism was disallowed.(CVE-2015-0223)Multiple flaws were found in the way the Qpid daemon (qpidd) processedcertain protocol sequences. An unauthenticated attacker able to send aspecially crafted protocol sequence set could use these flaws to crashqpidd. (CVE-2015-0203, CVE-2015-0224)Red Hat would like to thank the Apache Software Foundation for reportingthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs asthe original reporter.This update also fixes the following bug:* Prior to this update, because message purging was performed on a timerthread, large purge events could have caused all other timer tasks to bedelayed. Because heartbeats were also driven by a timer on this thread,this could have resulted in clients timing out because they were notreceiving heartbeats. The fix moves expired message purging from the timerthread to a worker thread, which allow long-running expired message purgesto not affect timer tasks such as the heartbeat timer. (BZ#1142833)All users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat EnterpriseLinux 6 are advised to upgrade to these updated packages, which correctthese issues.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

SRPMS:
qpid-cpp-0.18-38.el6.src.rpm
    MD5: 17695c1c17ac573831aa05fb602219beSHA-256: 7c2f5b19ddba7ac35eda60a8599504b6edfcb4230782bc31a1d4aa50d45a953f
 
IA-32:
qpid-cpp-client-0.18-38.el6.i686.rpm
    MD5: 2ff5180e327f0abcf18700f86436fa59SHA-256: 8b1b4fbc053bf9c08d725ea57fecdc19fa55685be5bd608ab7e7f5bde5afb443
qpid-cpp-client-devel-0.18-38.el6.i686.rpm
    MD5: 5052be1953d2915eb5fc303643c578c2SHA-256: e4d0765ea5f89467ee51d0e239f2e6e3af38fbe57a19e97f8c0e1f0dbc9d78cd
qpid-cpp-client-devel-docs-0.18-38.el6.noarch.rpm
    MD5: 1823032b5a246aadc42c3bba63d61b73SHA-256: 0492d61d3596374e0fb6c0caacb08f87636334d3539fa745999bddbaeeec6658
qpid-cpp-client-rdma-0.18-38.el6.i686.rpm
    MD5: 15cb84bea06d59436942a0489d3a604aSHA-256: 8e59dbbee31aa7f3d200a74cd0202511853a9cb3205dc1318eb230ec158ba737
qpid-cpp-client-ssl-0.18-38.el6.i686.rpm
    MD5: 41bd4ade01ebc8aa931fd4463232fc03SHA-256: b4461d56f5cb67846914e55e236e91b1e513be381f8d25b9ddfbaabc2f6843dc
qpid-cpp-debuginfo-0.18-38.el6.i686.rpm
    MD5: d062840852bd7fc4259aac963d7809beSHA-256: 94a9700a6a02d086a6e19f1b42e496ba552e21af39c1eda04b58776109cdf259
qpid-cpp-server-0.18-38.el6.i686.rpm
    MD5: feda8244162c991eb50da62576d5cff9SHA-256: f8b0c6ec183cfbc587637ffd241c7dd81ed78d5637f90b3399fd9d55019f0b99
qpid-cpp-server-cluster-0.18-38.el6.i686.rpm
    MD5: ec7ae60c52728dd172f586f762420196SHA-256: 3b3cf505723dbc1de5f55ffda55a6097d11555b64f2956ae4ce6f2ffa42b414f
qpid-cpp-server-devel-0.18-38.el6.i686.rpm
    MD5: 1959ea06104d8727dfa25692d31c1622SHA-256: eff1ae35ca7e233c5aab926b0b5f6e24777338fdd3072f54312401bfd1e7f559
qpid-cpp-server-rdma-0.18-38.el6.i686.rpm
    MD5: 6a685f76b771244c31a01b5571b089ebSHA-256: b0e6920f9c1b3f62da64a6b6060d8cac082de9356713d1909618bb4789cbedbd
qpid-cpp-server-ssl-0.18-38.el6.i686.rpm
    MD5: 6ffc4a43009a83e6c70e588b7759455cSHA-256: a6584131f318d2ce3acea82c9f4b1ad83d8245270ba4923c9cbd705d616eff97
qpid-cpp-server-store-0.18-38.el6.i686.rpm
    MD5: ab1cfed0ea1013e16cb7191ca05275d0SHA-256: 889eb647a80a1263f93c21e6c46d7bf54d3d6d3f0da78a70f2ae7c7cf44cb290
qpid-cpp-server-xml-0.18-38.el6.i686.rpm
    MD5: 2ed4defddb57c0969789fcaa07bef999SHA-256: b1ca2e8fd7f194fa1773c7a9a9ab7ed7e3e1d13a43161fc3d43fe2882b1a8331
 
x86_64:
qpid-cpp-client-0.18-38.el6.i686.rpm
    MD5: 2ff5180e327f0abcf18700f86436fa59SHA-256: 8b1b4fbc053bf9c08d725ea57fecdc19fa55685be5bd608ab7e7f5bde5afb443
qpid-cpp-client-0.18-38.el6.x86_64.rpm
    MD5: b637da50ce4b038b1ce5ddff53ab17d9SHA-256: 72bce053b28665818295f28355dcb8a6420b69cb7a8c0a2c3e229518da6472d3
qpid-cpp-client-devel-0.18-38.el6.x86_64.rpm
    MD5: a5ca31cd2e69c8c0d1e1a800058cac42SHA-256: 90bdffbaba12116bf637b1d0e825ddabc98baf3b4855b4ed8d8d7c9a803b4a1c
qpid-cpp-client-devel-docs-0.18-38.el6.noarch.rpm
    MD5: 1823032b5a246aadc42c3bba63d61b73SHA-256: 0492d61d3596374e0fb6c0caacb08f87636334d3539fa745999bddbaeeec6658
qpid-cpp-client-rdma-0.18-38.el6.x86_64.rpm
    MD5: 0c41858c73de197763805b23adff6be5SHA-256: 47cbb6f7289df4588ad5dd068978d0038e3b3248b1364cbb1b98fa1d793ad49f
qpid-cpp-client-ssl-0.18-38.el6.i686.rpm
    MD5: 41bd4ade01ebc8aa931fd4463232fc03SHA-256: b4461d56f5cb67846914e55e236e91b1e513be381f8d25b9ddfbaabc2f6843dc
qpid-cpp-client-ssl-0.18-38.el6.x86_64.rpm
    MD5: 690bafe9fb534600dd6eb40be3af049bSHA-256: 14ea170d9d0c952802eb2aae90d8567303029529648ef928ab348d0a1a01e8ab
qpid-cpp-debuginfo-0.18-38.el6.i686.rpm
    MD5: d062840852bd7fc4259aac963d7809beSHA-256: 94a9700a6a02d086a6e19f1b42e496ba552e21af39c1eda04b58776109cdf259
qpid-cpp-debuginfo-0.18-38.el6.x86_64.rpm
    MD5: 0fcc9fdca9975b7d7e8a5ebc9626ff37SHA-256: 712df24839cdb15569d190111e4f9f99f7257d7aaec8dd28a8b8c704e4768c1c
qpid-cpp-server-0.18-38.el6.i686.rpm
    MD5: feda8244162c991eb50da62576d5cff9SHA-256: f8b0c6ec183cfbc587637ffd241c7dd81ed78d5637f90b3399fd9d55019f0b99
qpid-cpp-server-0.18-38.el6.x86_64.rpm
    MD5: 5429f9d420eb4b13972a02b38bbae7b3SHA-256: cd8932acba6deaf3ffcfe4fb8723a93f0086f60d6ee200a027d48788c9044b9b
qpid-cpp-server-cluster-0.18-38.el6.x86_64.rpm
    MD5: 6aa780b364524f1063a7a3352a133d9bSHA-256: 2a3714b85ad69e5cfb2b943570422434198b32414058bb57cd0316546d6ab853
qpid-cpp-server-devel-0.18-38.el6.x86_64.rpm
    MD5: 4f9be4031b39df5353cd1f3bfe42377eSHA-256: 663246ba4cb36676ccd223a5b298b32920145c5fbdef8f74ccfbaad8f156334b
qpid-cpp-server-rdma-0.18-38.el6.x86_64.rpm
    MD5: 9a642842eba24b16c920f41488748bd4SHA-256: 3c71feb7177bc7c38d1d45dae2e52a95be6640d6fe8228453bba55be0982d4d9
qpid-cpp-server-ssl-0.18-38.el6.x86_64.rpm
    MD5: a8996350c0c92dfbb9b4fcb701b80a09SHA-256: e087fbfbebcec3496ad849922b60f9f966e4559141f988dfa9ed8f24edf06d3f
qpid-cpp-server-store-0.18-38.el6.x86_64.rpm
    MD5: 3a181a06ee4d16475e2d0578e29797c4SHA-256: 613414fc8cbd775f5000007b5ad8b899d75b668be6750119f41f24aaa201441b
qpid-cpp-server-xml-0.18-38.el6.x86_64.rpm
    MD5: bdcca399589680d9c0c25310a1e1a083SHA-256: 497b4db40c714fa8723b9bce276a655d50ed6dc5d5463baab2095c5d5e5dd331
 
(The unlinked packages above are only available from the Red Hat Network)
1142833 – Purging TTL expired messages blocks all other timers, causing connection drops1181721 – CVE-2015-0203 qpid-cpp: 3 qpidd DoS issues in AMQP 0-10 protocol handling1186302 – CVE-2015-0224 qpid-cpp: AMQP 0-10 protocol sequence-set maximal range DoS (incomplete CVE-2015-0203 fix)1186308 – CVE-2015-0223 qpid-cpp: anonymous access to qpidd cannot be prevented

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply