Updated qpid-cpp packages that fix multiple security issues and one bug arenow available for Red Hat Enterprise MRG Messaging 2.5 for Red HatEnterprise Linux 5.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generationIT infrastructure for enterprise computing. MRG offers increasedperformance, reliability, interoperability, and faster computing forenterprise customers.The Qpid packages provide a message broker daemon that receives, stores androutes messages using the open AMQP messaging protocol along with run-timelibraries for AMQP client applications developed using Qpid C++. Clientsexchange messages with an AMQP message broker using the AMQP protocol.It was discovered that the Qpid daemon (qpidd) did not restrict access toanonymous users when the ANONYMOUS mechanism was disallowed.(CVE-2015-0223)Multiple flaws were found in the way the Qpid daemon (qpidd) processedcertain protocol sequences. An unauthenticated attacker able to send aspecially crafted protocol sequence set could use these flaws to crashqpidd. (CVE-2015-0203, CVE-2015-0224)Red Hat would like to thank the Apache Software Foundation for reportingthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs asthe original reporter.This update also fixes the following bug:* Prior to this update, because message purging was performed on a timerthread, large purge events could have caused all other timer tasks to bedelayed. Because heartbeats were also driven by a timer on this thread,this could have resulted in clients timing out because they were notreceiving heartbeats. The fix moves expired message purging from the timerthread to a worker thread, which allow long-running expired message purgesto not affect timer tasks such as the heartbeat timer. (BZ#1142833)All users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat EnterpriseLinux 5 are advised to upgrade to these updated packages, which correctthese issues.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)

SRPMS:
qpid-cpp-mrg-0.18-38.el5_10.src.rpm
    MD5: 6ef47bcae4da33a2cfafa6d450001e7cSHA-256: 7e0ed184b00f58b94f07e1188114f8507e15a2575e3ba28d6dbd24d81f30694c
 
IA-32:
qpid-cpp-client-0.18-38.el5_10.i386.rpm
    MD5: efdc42c13ec1905bd27f45917d24b783SHA-256: 00f6f81f473779212c91681af0d2ab7178528f40944025dd720c0c3ed7b4ad74
qpid-cpp-client-devel-0.18-38.el5_10.i386.rpm
    MD5: caddc5c86eaf79c78f53267c948b779eSHA-256: c12ea8a1e67b5a1b62b9da762fb0d05db607d26aa6b5c3cbeb4abc9afd7ab90e
qpid-cpp-client-devel-docs-0.18-38.el5_10.i386.rpm
    MD5: 35fc4f9e7c069938882c4b7e7522a1f7SHA-256: 5d2932a9340f69c8a620a0588d913f164ef131b3e4771f6ef8328667e751d439
qpid-cpp-client-rdma-0.18-38.el5_10.i386.rpm
    MD5: 9115585913a8aeabcdb36711d5d59d4bSHA-256: 4d0c48a7b39314ff5c6789d87ca9e4ca8727a8d973a9fa5fa055ec351c0f6b11
qpid-cpp-client-ssl-0.18-38.el5_10.i386.rpm
    MD5: 1b4797b1a79b47dfd76bd9b2746d8ed1SHA-256: e3a0e05f30637fd87e105b2bb430287d3ad8beb8a2b7bb924f63eed6a8f39022
qpid-cpp-server-0.18-38.el5_10.i386.rpm
    MD5: 7fb8a9e1061a58b5d496035fa6d07637SHA-256: 80744172d5c298cf73cf26b77dec431ccfea8830d7312f4bfc198b931d0a6550
qpid-cpp-server-cluster-0.18-38.el5_10.i386.rpm
    MD5: c6240bb42d3ed0f6d4bec82993e91b0fSHA-256: a6bbe0e71866bacb8b2309ddbca9ff04b1d26aab33c035c455f01635d5a676fe
qpid-cpp-server-devel-0.18-38.el5_10.i386.rpm
    MD5: dc46484d489ff6b0f7f5603a3673e463SHA-256: 6d03b27ae1a3cb9fe7b4c199b1068ad4e6dd73e7f9a6e5718a7f7488451cf80f
qpid-cpp-server-rdma-0.18-38.el5_10.i386.rpm
    MD5: fe41846381d1969c815bd418d8f81150SHA-256: 7f6596d93a8fe9ac4aa2c4e61752a3c1fea1e44ee555b421f596b3016c9538cf
qpid-cpp-server-ssl-0.18-38.el5_10.i386.rpm
    MD5: 5ee36455a3f6560ca849bf36069c6174SHA-256: e27cc26d340e3deade3b3ecf040bda3e4ce48c36305c2605b4135fa48acb270c
qpid-cpp-server-store-0.18-38.el5_10.i386.rpm
    MD5: b8bfd4f399f0421e094540230c7a44eeSHA-256: 8ad5a6504badb237bac430f79ecff0ec0553474db4eea0c62e8b7f9be0823689
qpid-cpp-server-xml-0.18-38.el5_10.i386.rpm
    MD5: 24560b40d86b94a7107dfd3b53cacf90SHA-256: 9618b2f0daf52ebbbd886a9058818c12ba1e6eecfe75ecbd1feae3908f545b07
 
x86_64:
qpid-cpp-client-0.18-38.el5_10.x86_64.rpm
    MD5: 86de5c8ab2d2e51cd1297eeb40652d90SHA-256: ca8bcbde77eb4a69f3277b95fa9341a2b134096fdb12ad93140af3c8ca5b67e3
qpid-cpp-client-devel-0.18-38.el5_10.x86_64.rpm
    MD5: d7c5c41313baf3fa55b2c0ce1fa9eeabSHA-256: 93869bb9b519f3f0b3657eb7f6dab9c0714a53745eb3afa98441181f65d49898
qpid-cpp-client-devel-docs-0.18-38.el5_10.x86_64.rpm
    MD5: f87615c753d28bbf649782230aee3241SHA-256: 3a7b88b66dd5a36fb4498114255200a8498e3db4c5fac37932d280933c6e4b5f
qpid-cpp-client-rdma-0.18-38.el5_10.x86_64.rpm
    MD5: 55eddfe0fedc27cc616793613758f398SHA-256: 251b2caf668c226ed3556fde9295100a4e2534e62e3ec31374ad97a7db7bfb51
qpid-cpp-client-ssl-0.18-38.el5_10.x86_64.rpm
    MD5: 416a44085c8a7e53e2f25ec1e8a7006bSHA-256: af1b635e719e622a37a2a4e97a3d5d6e882bb9a073160dc419a939fa7ebf3bcb
qpid-cpp-server-0.18-38.el5_10.x86_64.rpm
    MD5: ee914aee746bfebb29ad796994252e3cSHA-256: ffc66bb3a4108f5138358d13665ff6d481d6c36d4e946687e323478e8a02880c
qpid-cpp-server-cluster-0.18-38.el5_10.x86_64.rpm
    MD5: 5cea7892298506b10bd7592c3a7e9ea0SHA-256: 69042e51e439005ccefd79890890492bd07a9744aed799b1f52ba5b403185e57
qpid-cpp-server-devel-0.18-38.el5_10.x86_64.rpm
    MD5: bbc5fc44575ff280f98090a78f8b7385SHA-256: 2684e39a7ef3a0e09b32599b5c52f01fe531927187a7266b051f1d5117b473dc
qpid-cpp-server-rdma-0.18-38.el5_10.x86_64.rpm
    MD5: 25938dccaad3d0d66072380293981316SHA-256: b317d59c605d17425f477e80d292a375893d9255ad63c274596df3deedd90317
qpid-cpp-server-ssl-0.18-38.el5_10.x86_64.rpm
    MD5: 028d942f0dd9efa9f4f5ecbf503978d9SHA-256: 57d65ac73c97cd100839b7914b8f4631a3175924e6e1033230b51c5f96ce27d3
qpid-cpp-server-store-0.18-38.el5_10.x86_64.rpm
    MD5: 37bcff5a2e3ebac052605d230d090d47SHA-256: 8e5081f6040b1197d6f8968699d1db2a9186c91c5ff7a378f64af7b5c095786b
qpid-cpp-server-xml-0.18-38.el5_10.x86_64.rpm
    MD5: 5bbd90eb0f1a8bd8a053203b5e77c88aSHA-256: 2e1030f990ff2639e7eafdcaaed4666c7e5093faae0b8ffd3b03811bdc63b58c
 
(The unlinked packages above are only available from the Red Hat Network)
1181721 – CVE-2015-0203 qpid-cpp: 3 qpidd DoS issues in AMQP 0-10 protocol handling1186302 – CVE-2015-0224 qpid-cpp: AMQP 0-10 protocol sequence-set maximal range DoS (incomplete CVE-2015-0203 fix)1186308 – CVE-2015-0223 qpid-cpp: anonymous access to qpidd cannot be prevented1191757 – MRG-M 2.5.13 RHEL-5 errata placeholder

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply