qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rob...@apache.org
Subject qpid-site git commit: update site content for CVE-2018-17187
Date Mon, 12 Nov 2018 10:52:30 GMT
Repository: qpid-site
Updated Branches:
  refs/heads/asf-site 5404ff5f2 -> badac501e


update site content for CVE-2018-17187


Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/badac501
Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/badac501
Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/badac501

Branch: refs/heads/asf-site
Commit: badac501e58fcdeccb1ab064806c8815d1749537
Parents: 5404ff5
Author: Robbie Gemmell <robbie@apache.org>
Authored: Mon Nov 12 10:47:13 2018 +0000
Committer: Robbie Gemmell <robbie@apache.org>
Committed: Mon Nov 12 10:47:13 2018 +0000

----------------------------------------------------------------------
 content/cves/CVE-2018-17187.html                | 201 +++++++++++++++++++
 content/proton/index.html                       |   1 +
 content/proton/security-j.html                  | 169 ++++++++++++++++
 .../qpid-proton-j-0.30.0/release-notes.html     |   3 +
 content/security.html                           |   1 +
 input/cves/CVE-2018-17187.md                    |  57 ++++++
 input/proton/index.md                           |   1 +
 input/proton/security-j.md                      |  27 +++
 .../qpid-proton-j-0.30.0/release-notes.md       |   4 +-
 input/security.md                               |   1 +
 10 files changed, 464 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/cves/CVE-2018-17187.html
----------------------------------------------------------------------
diff --git a/content/cves/CVE-2018-17187.html b/content/cves/CVE-2018-17187.html
new file mode 100644
index 0000000..7ceaab4
--- /dev/null
+++ b/content/cves/CVE-2018-17187.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+  <head>
+    <title>CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented
- Apache Qpid&#8482;</title>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+    <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+    <script type="text/javascript">var _deferredFunctions = [];</script>
+    <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+    <!--[if lte IE 8]>
+      <link rel="stylesheet" href="/ie.css" type="text/css"/>
+      <script type="text/javascript" src="/html5shiv.js"></script>
+    <![endif]-->
+
+    <!-- Redirects for `go get` and godoc.org -->
+    <meta name="go-import"
+          content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+    <meta name="go-source"
+          content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+  </head>
+  <body>
+    <div id="-content">
+      <div id="-top" class="panel">
+        <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+        <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+        <ul id="-global-navigation">
+          <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
+          <li><a href="/documentation.html">Documentation</a></li>
+          <li><a href="/download.html">Download</a></li>
+          <li><a href="/discussion.html">Discussion</a></li>
+        </ul>
+      </div>
+
+      <div id="-menu" class="panel" style="display: none;">
+        <div class="flex">
+          <section>
+            <h3>Project</h3>
+
+            <ul>
+              <li><a href="/overview.html">Overview</a></li>
+              <li><a href="/components/index.html">Components</a></li>
+              <li><a href="/releases/index.html">Releases</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Messaging APIs</h3>
+
+            <ul>
+              <li><a href="/proton/index.html">Qpid Proton</a></li>
+              <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+              <li><a href="/components/messaging-api/index.html">Qpid Messaging
API</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Servers and tools</h3>
+
+            <ul>
+              <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+              <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+              <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Resources</h3>
+
+            <ul>
+              <li><a href="/dashboard.html">Dashboard</a></li>
+              <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+              <li><a href="/resources.html">More resources</a></li>
+            </ul>
+          </section>
+        </div>
+      </div>
+
+      <div id="-search" class="panel" style="display: none;">
+        <form action="http://www.google.com/search" method="get">
+          <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+          <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+          <button type="submit">Search</button>
+          <a href="/search.html">More ways to search</a>
+        </form>
+      </div>
+
+      <div id="-middle" class="panel">
+        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li>CVE-2018-17187:
transport TLS wrapper hostname verification mode not implemented</li></ul>
+
+        <div id="-middle-content">
+          <h1 id="cve-2018-17187-transport-tls-wrapper-hostname-verification-mode-not-implemented">CVE-2018-17187:
transport TLS wrapper hostname verification mode not implemented</h1>
+
+<h2 id="severity">Severity</h2>
+
+<p>Important</p>
+
+<h2 id="affected-components">Affected components</h2>
+
+<p>Qpid Proton-J</p>
+
+<h2 id="affected-versions">Affected versions</h2>
+
+<p>0.3 to 0.29.0</p>
+
+<h2 id="fixed-versions">Fixed versions</h2>
+
+<p>0.30.0</p>
+
+<h2 id="description">Description</h2>
+
+<p>The Proton-J transport includes an optional wrapper layer to perform TLS,
+enabled by use of the 'transport.ssl(...)' methods. Unless a verification
+mode was explicitly configured, client and server modes previously defaulted
+as documented to not verifying a peer certificate, with options to
+configure this explicitly or select a certificate verification mode with or
+without hostname verification being performed.</p>
+
+<p>The latter hostname verifying mode was not previously implemented, with
+attempts to use it resulting in an exception. This left only the option to
+verify the certificate is trusted, leaving such a client vulnerable to
+Man In The Middle (MITM) attack.</p>
+
+<p>Uses of the Proton-J protocol engine which do not utilise the optional
+transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.</p>
+
+<h2 id="resolution">Resolution</h2>
+
+<p>Uses of Proton-J utilising the optional transport TLS wrapper layer that
+wish to enable hostname verification must be upgraded to version 0.30.0 or
+later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
+now the default for client mode usage unless configured otherwise.</p>
+
+<h2 id="mitigation">Mitigation</h2>
+
+<p>If upgrading is not currently possible then potential workarounds include
+providing a custom SSLContext which enables hostname verification, or
+omitting use of the 'transport.ssl(...)' methods and performing TLS through
+other means such as utilising existing IO framework support or supplying a
+custom transport wrapper layer.</p>
+
+<h2 id="references">References</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/PROTON-1962">PROTON-1962</a></p>
+
+<h2 id="credit">Credit</h2>
+
+<p>This issue was reported by Peter Stockli of Alphabot Security.</p>
+
+
+          <hr/>
+
+          <ul id="-apache-navigation">
+            <li><a href="http://www.apache.org/">Apache</a></li>
+            <li><a href="http://www.apache.org/licenses/">License</a></li>
+            <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+            <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+            <li><a href="/security.html">Security</a></li>
+            <li><a href="http://www.apache.org/"><img id="-apache-feather"
width="48" height="14" src="" alt="Apache"/></a></li>
+          </ul>
+
+          <p id="-legal">
+            Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
+            The Apache Software Foundation; Licensed under
+            the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+            License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+            Proton, Apache, the Apache feather logo, and the Apache Qpid
+            project logo are trademarks of The Apache Software
+            Foundation; All other marks mentioned may be trademarks or
+            registered trademarks of their respective owners
+          </p>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/index.html
----------------------------------------------------------------------
diff --git a/content/proton/index.html b/content/proton/index.html
index 816ea63..f9696c0 100644
--- a/content/proton/index.html
+++ b/content/proton/index.html
@@ -203,6 +203,7 @@ platform, environment, or language. More about
 
 <ul>
 <li><a href="security.html">Security</a></li>
+<li><a href="security-j.html">Security - Proton-J</a></li>
 <li><a href="submitting-patches.html">Contributing to Proton</a></li>
 <li><a href="https://cwiki.apache.org/confluence/display/qpid/proton">Proton
wiki pages</a></li>
 </ul>

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/security-j.html
----------------------------------------------------------------------
diff --git a/content/proton/security-j.html b/content/proton/security-j.html
new file mode 100644
index 0000000..ab4b962
--- /dev/null
+++ b/content/proton/security-j.html
@@ -0,0 +1,169 @@
+<!DOCTYPE html>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+  <head>
+    <title>Security - Proton-J - Apache Qpid&#8482;</title>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
+    <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
+    <script type="text/javascript">var _deferredFunctions = [];</script>
+    <script type="text/javascript" src="/deferred.js" defer="defer"></script>
+    <!--[if lte IE 8]>
+      <link rel="stylesheet" href="/ie.css" type="text/css"/>
+      <script type="text/javascript" src="/html5shiv.js"></script>
+    <![endif]-->
+
+    <!-- Redirects for `go get` and godoc.org -->
+    <meta name="go-import"
+          content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
+    <meta name="go-source"
+          content="qpid.apache.org
+https://github.com/apache/qpid-proton/blob/go1/README.md
+https://github.com/apache/qpid-proton/tree/go1{/dir}
+https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
+  </head>
+  <body>
+    <div id="-content">
+      <div id="-top" class="panel">
+        <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
+
+        <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
+
+        <ul id="-global-navigation">
+          <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
+          <li><a href="/documentation.html">Documentation</a></li>
+          <li><a href="/download.html">Download</a></li>
+          <li><a href="/discussion.html">Discussion</a></li>
+        </ul>
+      </div>
+
+      <div id="-menu" class="panel" style="display: none;">
+        <div class="flex">
+          <section>
+            <h3>Project</h3>
+
+            <ul>
+              <li><a href="/overview.html">Overview</a></li>
+              <li><a href="/components/index.html">Components</a></li>
+              <li><a href="/releases/index.html">Releases</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Messaging APIs</h3>
+
+            <ul>
+              <li><a href="/proton/index.html">Qpid Proton</a></li>
+              <li><a href="/components/jms/index.html">Qpid JMS</a></li>
+              <li><a href="/components/messaging-api/index.html">Qpid Messaging
API</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Servers and tools</h3>
+
+            <ul>
+              <li><a href="/components/broker-j/index.html">Broker-J</a></li>
+              <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
+              <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
+            </ul>
+          </section>
+
+          <section>
+            <h3>Resources</h3>
+
+            <ul>
+              <li><a href="/dashboard.html">Dashboard</a></li>
+              <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
+              <li><a href="/resources.html">More resources</a></li>
+            </ul>
+          </section>
+        </div>
+      </div>
+
+      <div id="-search" class="panel" style="display: none;">
+        <form action="http://www.google.com/search" method="get">
+          <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
+          <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
+          <button type="submit">Search</button>
+          <a href="/search.html">More ways to search</a>
+        </form>
+      </div>
+
+      <div id="-middle" class="panel">
+        <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a
href="/proton/index.html">Qpid Proton</a></li><li>Security - Proton-J</li></ul>
+
+        <div id="-middle-content">
+          <h1 id="security-proton-j">Security - Proton-J</h1>
+
+<table>
+<thead>
+<tr>
+  <th>CVE-ID</th>
+  <th>Severity</th>
+  <th>Affected versions</th>
+  <th>Fixed versions</th>
+  <th>Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+  <td><a href="/cves/CVE-2018-17187.html">CVE-2018-17187</a></td>
+  <td>Important</td>
+  <td>0.3 to 0.29.0 inclusive</td>
+  <td>0.30.0 and later</td>
+  <td>Transport TLS wrapper hostname verification mode not implemented</td>
+</tr>
+</tbody>
+</table>
+
+<p>See the main <a href="/security.html">Security</a> page for general
+information and details for other components.</p>
+
+
+          <hr/>
+
+          <ul id="-apache-navigation">
+            <li><a href="http://www.apache.org/">Apache</a></li>
+            <li><a href="http://www.apache.org/licenses/">License</a></li>
+            <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+            <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
+            <li><a href="/security.html">Security</a></li>
+            <li><a href="http://www.apache.org/"><img id="-apache-feather"
width="48" height="14" src="" alt="Apache"/></a></li>
+          </ul>
+
+          <p id="-legal">
+            Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
+            The Apache Software Foundation; Licensed under
+            the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
+            License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
+            Proton, Apache, the Apache feather logo, and the Apache Qpid
+            project logo are trademarks of The Apache Software
+            Foundation; All other marks mentioned may be trademarks or
+            registered trademarks of their respective owners
+          </p>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/releases/qpid-proton-j-0.30.0/release-notes.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-proton-j-0.30.0/release-notes.html b/content/releases/qpid-proton-j-0.30.0/release-notes.html
index f726b18..65fac66 100644
--- a/content/releases/qpid-proton-j-0.30.0/release-notes.html
+++ b/content/releases/qpid-proton-j-0.30.0/release-notes.html
@@ -122,6 +122,8 @@ about <a href="/proton/index.html">Qpid Proton</a>.</p>
 <p>For more information about this release, including download links and
 documentation, see the <a href="index.html">release overview</a>.</p>
 
+<p><strong>Note</strong>: This release addresses security issue <a href="/cves/CVE-2018-17187.html">CVE-2018-17187</a>,
around hostname verification mode not being implemented in the optional transport TLS wrapper.
Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.</p>
+
 <h2 id="new-features-and-improvements">New features and improvements</h2>
 
 <ul>
@@ -136,6 +138,7 @@ documentation, see the <a href="index.html">release overview</a>.</p>
 <ul>
 <li><a href="https://issues.apache.org/jira/browse/PROTON-1938">PROTON-1938</a>
- misaligned Transport set/getErrorCondition and closed() behaviour</li>
 <li><a href="https://issues.apache.org/jira/browse/PROTON-1958">PROTON-1958</a>
- incorrect ordering for reactor timer tasks with matching deadlines</li>
+<li><a href="https://issues.apache.org/jira/browse/PROTON-1962">PROTON-1962</a>
- [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented</li>
 </ul>
 
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/security.html
----------------------------------------------------------------------
diff --git a/content/security.html b/content/security.html
index 4508351..83dddb1 100644
--- a/content/security.html
+++ b/content/security.html
@@ -141,6 +141,7 @@ Qpid components are detailed at:</p>
 <li><a href="/components/jms/security.html">JMS client</a></li>
 <li><a href="/components/jms/security-0-x.html">AMQP 0-x JMS client</a></li>
 <li><a href="/proton/security.html">Proton</a></li>
+<li><a href="/proton/security-j.html">Proton-J</a></li>
 </ul>
 
 </section>

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/cves/CVE-2018-17187.md
----------------------------------------------------------------------
diff --git a/input/cves/CVE-2018-17187.md b/input/cves/CVE-2018-17187.md
new file mode 100644
index 0000000..7df61cc
--- /dev/null
+++ b/input/cves/CVE-2018-17187.md
@@ -0,0 +1,57 @@
+# CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented
+
+## Severity
+
+Important
+
+## Affected components
+
+Qpid Proton-J
+
+## Affected versions
+
+0.3 to 0.29.0
+
+## Fixed versions
+
+0.30.0
+
+## Description
+
+The Proton-J transport includes an optional wrapper layer to perform TLS,
+enabled by use of the 'transport.ssl(...)' methods. Unless a verification
+mode was explicitly configured, client and server modes previously defaulted
+as documented to not verifying a peer certificate, with options to
+configure this explicitly or select a certificate verification mode with or
+without hostname verification being performed.
+
+The latter hostname verifying mode was not previously implemented, with
+attempts to use it resulting in an exception. This left only the option to
+verify the certificate is trusted, leaving such a client vulnerable to
+Man In The Middle (MITM) attack.
+
+Uses of the Proton-J protocol engine which do not utilise the optional
+transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.
+
+## Resolution
+
+Uses of Proton-J utilising the optional transport TLS wrapper layer that
+wish to enable hostname verification must be upgraded to version 0.30.0 or
+later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
+now the default for client mode usage unless configured otherwise.
+
+## Mitigation
+
+If upgrading is not currently possible then potential workarounds include
+providing a custom SSLContext which enables hostname verification, or
+omitting use of the 'transport.ssl(...)' methods and performing TLS through
+other means such as utilising existing IO framework support or supplying a
+custom transport wrapper layer.
+
+## References
+
+[PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962)
+
+## Credit
+
+This issue was reported by Peter Stockli of Alphabot Security.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/index.md
----------------------------------------------------------------------
diff --git a/input/proton/index.md b/input/proton/index.md
index bc810d5..bb3e406 100644
--- a/input/proton/index.md
+++ b/input/proton/index.md
@@ -89,6 +89,7 @@ platform, environment, or language. More about
 ## Resources
 
  - [Security](security.html)
+ - [Security - Proton-J](security-j.html)
  - [Contributing to Proton](submitting-patches.html)
  - [Proton wiki pages](https://cwiki.apache.org/confluence/display/qpid/proton)
 

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/security-j.md
----------------------------------------------------------------------
diff --git a/input/proton/security-j.md b/input/proton/security-j.md
new file mode 100644
index 0000000..7925e16
--- /dev/null
+++ b/input/proton/security-j.md
@@ -0,0 +1,27 @@
+;;
+;; Licensed to the Apache Software Foundation (ASF) under one
+;; or more contributor license agreements.  See the NOTICE file
+;; distributed with this work for additional information
+;; regarding copyright ownership.  The ASF licenses this file
+;; to you under the Apache License, Version 2.0 (the
+;; "License"); you may not use this file except in compliance
+;; with the License.  You may obtain a copy of the License at
+;;
+;;   http://www.apache.org/licenses/LICENSE-2.0
+;;
+;; Unless required by applicable law or agreed to in writing,
+;; software distributed under the License is distributed on an
+;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+;; KIND, either express or implied.  See the License for the
+;; specific language governing permissions and limitations
+;; under the License.
+;;
+
+# Security - Proton-J
+
+| CVE-ID | Severity | Affected versions | Fixed versions | Summary |
+| ------ | -------- | ----------------- | -------------- | ------- |
+| [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html) | Important | 0.3 to 0.29.0 inclusive
| 0.30.0 and later | Transport TLS wrapper hostname verification mode not implemented |
+
+See the main [Security]({{site_url}}/security.html) page for general
+information and details for other components.

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/releases/qpid-proton-j-0.30.0/release-notes.md
----------------------------------------------------------------------
diff --git a/input/releases/qpid-proton-j-0.30.0/release-notes.md b/input/releases/qpid-proton-j-0.30.0/release-notes.md
index 3d0cb9a..5df8957 100644
--- a/input/releases/qpid-proton-j-0.30.0/release-notes.md
+++ b/input/releases/qpid-proton-j-0.30.0/release-notes.md
@@ -25,6 +25,7 @@ about [Qpid Proton]({{site_url}}/proton/index.html).
 For more information about this release, including download links and
 documentation, see the [release overview](index.html).
 
+**Note**: This release addresses security issue [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html),
around hostname verification mode not being implemented in the optional transport TLS wrapper.
Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.
 
 ## New features and improvements
 
@@ -36,4 +37,5 @@ documentation, see the [release overview](index.html).
 ## Bugs fixed
 
  - [PROTON-1938](https://issues.apache.org/jira/browse/PROTON-1938) - misaligned Transport
set/getErrorCondition and closed() behaviour
- - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering
for reactor timer tasks with matching deadlines
\ No newline at end of file
+ - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering
for reactor timer tasks with matching deadlines
+ - [PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962) - [CVE-2018-17187] transport
TLS wrapper hostname verification mode not implemented

http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/security.md
----------------------------------------------------------------------
diff --git a/input/security.md b/input/security.md
index 5453ae9..bcd7427 100644
--- a/input/security.md
+++ b/input/security.md
@@ -39,6 +39,7 @@ Qpid components are detailed at:
  - [JMS client]({{site_url}}/components/jms/security.html)
  - [AMQP 0-x JMS client]({{site_url}}/components/jms/security-0-x.html)
  - [Proton]({{site_url}}/proton/security.html)
+ - [Proton-J]({{site_url}}/proton/security-j.html)
 
 </section>
 </div>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message