qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jr...@apache.org
Subject [1/3] qpid-site git commit: QPID-7756: Give each CVE its own page; link to CVEs from component pages
Date Mon, 15 May 2017 13:43:18 GMT
Repository: qpid-site
Updated Branches:
  refs/heads/asf-site d03960c7e -> 891f697bd


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/proton/security.md
----------------------------------------------------------------------
diff --git a/input/proton/security.md b/input/proton/security.md
index f708f56..e793119 100644
--- a/input/proton/security.md
+++ b/input/proton/security.md
@@ -19,120 +19,10 @@
 
 # Security
 
-<section markdown="1">
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2016-4467]({{site_url}}/cves/CVE-2016-4467.html) | Medium | 0.8 through 0.13.0 inclusive
| 0.13.1 and later | Failure to verify that the server host name matches the certificate host
name on Windows |
+| [CVE-2016-2166]({{site_url}}/cves/CVE-2016-2166.html) | Moderate | 0.9 through 0.12.0 inclusive
| 0.12.1 and later | Python bindings silently ignore request for amqps if SSL/TLS not supported
|
 
-## Proton
-
-<table>
-  <thead>
-    <tr>
-      <th>CVE-ID</th><th>Severity</th><th>Affected&nbsp;Versions</th><th>Fixed&nbsp;in&nbsp;Versions</th><th>Description</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>CVE-2016-4467</td>
-      <td>Medium</td>
-      <td>0.8 through 0.13.0 (inclusive)</td>
-      <td>0.13.1 and later</td>
-      <td>Failure to verify that the server host name matches the certificate host
name on Windows
-        <a id="CVE_2016_4467_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_4467_details',
controlId:'CVE_2016_4467_details_toggle', showMore:'<small>show more</small>',
showLess:'<small>show less</small>'});"><small>show more</small></a>
-        <div style="display:none;" id="CVE_2016_4467_details">
-
-          <p>Messaging applications using the Proton C library to
-          provide SSL/TLS authentication on Windows can falsely
-          authenticate a server whose name does not match the server
-          name in the connection specifier.  Proton C bindings are
-          affected to a greater or lesser degree depending on how
-          they use the underlying Proton C library.</p>
-
-          <p>In Proton C, this can only happen if
-          PN_SSL_VERIFY_PEER_NAME has been specified as the
-          verification mode and pn_ssl_set_peer_hostname() has not
-          been called at all or has been called with a NULL value for
-          a particular pn_ssl_t object.</p>
-
-          <p>In the Proton C++ binding, this will always happen unless
-          the application has separately specified a virtual_host name
-          for an SSL/TLS connection.</p>
-
-          <p>In the Proton Python and Ruby bindings, this will only
-          happen if the application has separately specified a NULL
-          virtual_host name for an SSL/TLS connection after creating
-          the connection but before the authentication step.</p>
-
-          <p>This issue only occurs on Windows versions of Proton that
-          use the default SChannel-based security layer.</p>
-
-          <p>In any of the preceding cases, it is possible for a
-          man-in-the-middle attacker to spoof an SSL/TLS server if
-          they had a certificate that was valid for any of the
-          application's Certificate Authorities.</p>
-
-          <p>Resolution: Proton release 0.13.1 resolves this issue in
-          the SChannel-based security layer by obtaining a default
-          non-NULL peer hostname from the associated connection
-          address when initialized and by always failing hostname
-          verification if PN_SSL_VERIFY_PEER_NAME has been specified
-          along with a NULL peer hostname.  This resolution matches
-          the associated behaviour of the OpenSSL-based security
-          layer.</p>
-
-          <p>References: <a
-          href="https://issues.apache.org/jira/browse/PROTON-1228">PROTON-1228</a>
-          and <a
-          href="https://issues.apache.org/jira/browse/PROTON-1233">PROTON-1233</a>.</p>
-        </div>
-      </td>
-    </tr>
-    <tr>
-      <td>CVE-2016-2166</td>
-      <td>Moderate</td>
-      <td>0.9 through 0.12.0 (inclusive)</td>
-      <td>0.12.1 and later</td>
-      <td>
-        Python bindings silently ignore request for amqps if SSL/TLS not supported. <a
id="CVE_2016_2166_details_toggle" href="javascript:_toggleDiv({divId:'CVE_2016_2166_details',
controlId:'CVE_2016_2166_details_toggle', showMore:'<small>show more</small>',
showLess:'<small>show less</small>'});"><small>show more</small></a>
-        <div style="display:none;" id="CVE_2016_2166_details">
-          <p>Versions Affected: Apache Qpid Proton python API starting
-          at 0.9 up to and including version 0.12.0.</p>
-          <p>Description: Messaging applications using the Proton
-          Python API to provision an SSL/TLS encrypted TCP connection
-          may actually instantiate a non-encrypted connection without
-          notice if SSL support is unavailable.  This will result in
-          all messages being sent in the clear without the knowledge
-          of the user.<br/>  This issue affects those applications
-          that use the Proton Reactor Python API to create SSL/TLS
-          connections.  Specifically the proton.reactor.Connector,
-          proton.reactor.Container, and
-          proton.utils.BlockingConnection classes are vulnerable.
-          These classes can create an unencrypted connections if the
-          "amqps://" URL prefix is used.<br/>  The issue only occurs
-          if the installed Proton libraries do not support SSL.  This
-          would be the case if the libraries were built without SSL
-          support or the necessary SSL libraries are not present on
-          the system (e.g. OpenSSL in the case of *nix).<br/>  To
-          check whether or not the Python API provides SSL support,
-          use the following console command:<br/>python -c "import
-          proton; print('%s' % 'SSL present' if proton.SSL.present()
-          else 'SSL NOT AVAILBLE')"<br/>In addition, the issue can
-          only occur if both ends of the connection connect without
-          SSL.  This would be the case if the vulnerability is active
-          on both ends of the connection, or the non-affected endpoint
-          allows cleartext connections.</p>
-          <p>Resolution: Proton release 0.12.1 resolves this issue by
-          raising an SSLUnavailable exception when SSL is not
-          available and a SSL/TLS connection is requested via the
-          "amqps://" URL
-          prefix.<br/>A <a href="https://issues.apache.org/jira/browse/PROTON-1157">patch</a>
-          is also available.</p>
-          <p>References: <a href="https://issues.apache.org/jira/browse/PROTON-1157">PROTON-1157</a></p>
-	  <p>Credit: This issue was discovered by M. Farrellee from Red Hat.</p>
-        </div>
-      </td>
-    </tr>
-  </tbody>
-</table>
-
-</section>
-
-See the main [Security]({{site_url}}/security.html) page for general information and details
for other components.
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/891f697b/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 4361ac2..85eaa96 100644
--- a/input/security.md
+++ b/input/security.md
@@ -21,7 +21,7 @@
 
 <section markdown="1">
 
-## Security Updates
+## Security updates
 
 Details of security problems fixed in released versions of individual Apache
 Qpid components are detailed at:
@@ -30,13 +30,12 @@ Qpid components are detailed at:
 <section markdown="1">
 
  - [Broker for Java]({{site_url}}/components/java-broker/security.html)
- - [C++ Broker]({{site_url}}/components/cpp-broker/security.html)
+ - [C++ broker]({{site_url}}/components/cpp-broker/security.html)
 
 </section>
 <section markdown="1">
 
- - [JMS Client (AMQP 1.0)]({{site_url}}/components/jms/security.html)
- - [JMS Client (AMQP 0.x)]({{site_url}}/components/jms/security-0-x.html)
+ - [JMS client]({{site_url}}/components/jms/security.html)
  - [Proton]({{site_url}}/proton/security.html)
 
 </section>
@@ -45,7 +44,7 @@ Qpid components are detailed at:
 </section>
 <section markdown="1">
 
-## Reporting New Security Problems with Apache Qpid
+## Reporting new security problems with Apache Qpid
 
 We take a very active stance in eliminating security problems and
 denial of service attacks against Apache Qpid.


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message