LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

September 2012

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA September 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: qpid on SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Thu, 20 Sep 2012 08:34:54 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (72 lines)

Synopsis:          Moderate: qpid security, bug fix, and enhancement update
Issue Date:        2012-09-19
CVE Numbers:       CVE-2012-2145

Apache Qpid is a reliable, cross-platform, asynchronous messaging system
that supports the Advanced Message Queuing Protocol (AMQP) in several
common programming languages.

It was discovered that the Qpid daemon (qpidd) did not allow the number of
connections from clients to be restricted. A malicious client could use
this flaw to open an excessive amount of connections, preventing other
legitimate clients from establishing a connection to qpidd. (CVE-2012-2145)

To address CVE-2012-2145, new qpidd configuration options were introduced:
max-negotiate-time defines the time during which initial protocol
negotiation must succeed, connection-limit-per-user and
connection-limit-per-ip can be used to limit the number of connections per
user and client host IP. Refer to the qpidd manual page for additional
details.

In addition, the qpid-cpp, qpid-qmf, qpid-tools, and python-qpid packages
have been upgraded to upstream version 0.14, which provides a number of bug
fixes and enhancements over the previous version.

All users of qpid are advised to upgrade to these updated packages, which
fix these issues and add these enhancements.

For dependency resolution saslwrapper, saslwrapper-devel, 
python-saslwrapper,
and ruby-saslwrapper have been added to this update

SL6
   x86_64
     python-qpid-qmf-0.14-14.el6_3.x86_64.rpm
     qpid-cpp-client-0.14-22.el6_3.i686.rpm
     qpid-cpp-client-0.14-22.el6_3.x86_64.rpm
     qpid-cpp-client-ssl-0.14-22.el6_3.i686.rpm
     qpid-cpp-client-ssl-0.14-22.el6_3.x86_64.rpm
     qpid-cpp-server-0.14-22.el6_3.i686.rpm
     qpid-cpp-server-0.14-22.el6_3.x86_64.rpm
     qpid-cpp-server-ssl-0.14-22.el6_3.x86_64.rpm
     qpid-qmf-0.14-14.el6_3.i686.rpm
     qpid-qmf-0.14-14.el6_3.x86_64.rpm
     ruby-qpid-qmf-0.14-14.el6_3.x86_64.rpm

     Dependencies:
     python-saslwrapper-0.14-1.el6.x86_64.rpm
     ruby-saslwrapper-0.14-1.el6.x86_64.rpm
     saslwrapper-0.14-1.el6.i686.rpm
     saslwrapper-0.14-1.el6.x86_64.rpm
     saslwrapper-devel-0.14-1.el6.i686.rpm
     saslwrapper-devel-0.14-1.el6.x86_64.rpm
   i386
     python-qpid-qmf-0.14-14.el6_3.i686.rpm
     qpid-cpp-client-0.14-22.el6_3.i686.rpm
     qpid-cpp-client-ssl-0.14-22.el6_3.i686.rpm
     qpid-cpp-server-0.14-22.el6_3.i686.rpm
     qpid-cpp-server-ssl-0.14-22.el6_3.i686.rpm
     qpid-qmf-0.14-14.el6_3.i686.rpm
     ruby-qpid-qmf-0.14-14.el6_3.i686.rpm

     Dependencies:
     python-saslwrapper-0.14-1.el6.i686.rpm
     ruby-saslwrapper-0.14-1.el6.i686.rpm
     saslwrapper-0.14-1.el6.i686.rpm
     saslwrapper-devel-0.14-1.el6.i686.rpm
   noarch
     python-qpid-0.14-11.el6_3.noarch.rpm
     qpid-tools-0.14-6.el6_3.noarch.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV