Red Hat Security Advisory 2020-0601-01 - Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 6, 7, and 8.
8d43dd0822bbae7d88d811021e172eed30df934e109bf667724da9e33aa4290a-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: AMQ Clients 2.6.0 Release
Advisory ID: RHSA-2020:0601-01
Product: Red Hat AMQ Clients
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0601
Issue date: 2020-02-25
CVE Names: CVE-2019-20444 CVE-2019-20445 CVE-2020-7238
=====================================================================
1. Summary:
An update is now available for Red Hat AMQ Clients 2.6.0. Red Hat Product
Security has rated this update as having a security impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
2. Relevant releases/architectures:
6Client-AMQ-Clients-2 - i386, noarch, x86_64
6ComputeNode-AMQ-Clients-2 - noarch, x86_64
6Server-AMQ-Clients-2 - i386, noarch, x86_64
6Workstation-AMQ-Clients-2 - i386, noarch, x86_64
7Client-AMQ-Clients-2 - noarch, x86_64
7ComputeNode-AMQ-Clients-2 - noarch, x86_64
7Server-AMQ-Clients-2 - noarch, x86_64
7Workstation-AMQ-Clients-2 - noarch, x86_64
8Base-AMQ-Clients-2 - noarch, x86_64
3. Description:
Red Hat AMQ Clients enable connecting, sending, and receiving messages over
the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7.
This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 6,
7, and 8.
Security Fix(es):
* netty: HTTP request smuggling (CVE-2019-20444)
* netty: HttpObjectDecoder.java allows Content-Length header to accompanied
by second Content-Length header (CVE-2019-20445)
* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
mishandling (CVE-2020-7238)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1798524 - CVE-2019-20444 netty: HTTP request smuggling
6. JIRA issues fixed (https://issues.jboss.org/):
ENTMQCL-1075 - [python] Example broker.py is using collections.deque.count from Python 2.7
ENTMQCL-1076 - [python] Example abstract_server.py is using relative import
ENTMQCL-1246 - [python] Install egg-info directory
ENTMQCL-1287 - [python] Read a config file to get default connection parameters (Windows)
ENTMQCL-1322 - amqpnetlite-sdk-2.1.6 does not export resource strings
ENTMQCL-1361 - [python] Convert strings in the API to AMQP symbols where required
ENTMQCL-1364 - [python] P2P detach frame not received results in connection aborted
ENTMQCL-1578 - [python] qpid-proton-0.28.0-1.el7 leaks memory
ENTMQCL-1583 - [doc] Broken links in rh-messaging/amq-docs master
ENTMQCL-1635 - [javascript] File-based connection configuration can't use named ports
ENTMQCL-1641 - [dotnet] Update AMQ .NET Client based on amqpnetlite 2.2
ENTMQCL-1679 - [python] HOME location of file-based connection configuration does not point to HOME location
ENTMQCL-1717 - [python] Default port should be amqps
ENTMQCL-1726 - [jms] Improve performance when using simulated anonymous producers
ENTMQCL-1781 - Established connections are aborted after the system clock is shifted forward
ENTMQCL-1818 - [javascript] npm install fails due to missing configuration file for ESLint
ENTMQCL-1835 - [jms] client-ack consumers don't increment remote delivery count on closure after fresh recover
7. Package List:
6Client-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-4.el6_10.src.rpm
i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm
noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm
6ComputeNode-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-4.el6_10.src.rpm
noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm
6Server-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-4.el6_10.src.rpm
i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm
noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm
6Workstation-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-4.el6_10.src.rpm
i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm
noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm
7Client-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm
noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm
7ComputeNode-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm
noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm
7Server-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm
noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm
7Workstation-AMQ-Clients-2:
Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm
noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm
x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm
8Base-AMQ-Clients-2:
Source:
nodejs-rhea-1.0.16-1.el8.src.rpm
qpid-proton-0.30.0-3.el8.src.rpm
rubygem-qpid_proton-0.30.0-1.el8.src.rpm
noarch:
nodejs-rhea-1.0.16-1.el8.noarch.rpm
python-qpid-proton-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-c-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-cpp-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-tests-0.30.0-3.el8.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el8.noarch.rpm
x86_64:
python3-qpid-proton-0.30.0-3.el8.x86_64.rpm
python3-qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-debugsource-0.30.0-3.el8.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el8.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2019-20444
https://access.redhat.com/security/cve/CVE-2019-20445
https://access.redhat.com/security/cve/CVE-2020-7238
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_amq/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXlU9u9zjgjWX9erEAQjJRg/9EWdSUKhNIQBO7WFXvi/PO/2ebxBePbDH
l0mUNYaOeKyLJvSDLdE8OY25r1zdG6ZgrZLsiPUV31MLlyqXIUXPpFaylv74yZDy
/oP8HnhaHQ29/RhooT5QLxqyCF7f4Bh+1C8VrrwSVKVvlt0Nwz3pC2uZudD6qv8r
juZ8qNjWaQrD5RjWNKljRIzP/VWTU+9GTpACHmK5aTzcN+IgwSP+xJ9oIxnCvjNZ
OhEPTnbYwVA645klWUpFKlj/eFIPSVl3/LTY3F5U1RPlU8qAGIBqPS6gUJSvFg5i
HPOSa0yhFYD7jnPOR4SC24+/eLJaroP+GmnujWGSR10wnE4UZzoFtaw1OJblMdPt
8Ucs5Y0h7KBZwirSLVKEn8hW92cb3IjnCWde4aZjg46fbXrpeGi0tCtE+gh3shUC
3EBEtgU3/I3FoakQty7ePe6YHfFN3+u8Z3TsIQ9GJUCtZj/eeQyqGKLFgAncA6O6
cfZTDMzDU36snL11T8hAcVi2AKoJTxkbqzKy/A28xT11FYrGAGkATsb7mH16CRb9
zFmcsOEdNYBnh7r6QIeJmo0dyFLvAHUfjTabYqimPqABqhvjPeWc2OH5wXuyxV7l
nHSLM62VhwLcRF5AAvxaNL+QE1B0GUH69Bhqn++0iTVoop0vluvE0DS5T4Gu0AYQ
ZlNPuesCwnc=
=ypok
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed