From commits-return-47371-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Mon Nov 12 11:52:32 2018
Return-Path: Important Qpid Proton-J 0.3 to 0.29.0 0.30.0 The Proton-J transport includes an optional wrapper layer to perform TLS,
+enabled by use of the 'transport.ssl(...)' methods. Unless a verification
+mode was explicitly configured, client and server modes previously defaulted
+as documented to not verifying a peer certificate, with options to
+configure this explicitly or select a certificate verification mode with or
+without hostname verification being performed. The latter hostname verifying mode was not previously implemented, with
+attempts to use it resulting in an exception. This left only the option to
+verify the certificate is trusted, leaving such a client vulnerable to
+Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional
+transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that
+wish to enable hostname verification must be upgraded to version 0.30.0 or
+later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is
+now the default for client mode usage unless configured otherwise. If upgrading is not currently possible then potential workarounds include
+providing a custom SSLContext which enables hostname verification, or
+omitting use of the 'transport.ssl(...)' methods and performing TLS through
+other means such as utilising existing IO framework support or supplying a
+custom transport wrapper layer. This issue was reported by Peter Stockli of Alphabot Security.
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the Apache
+ License, Version 2.0; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ See the main Security page for general
+information and details for other components.
+ Apache Qpid, Messaging built on AMQP; Copyright © 2015
+ The Apache Software Foundation; Licensed under
+ the Apache
+ License, Version 2.0; Apache Qpid, Qpid, Qpid Proton,
+ Proton, Apache, the Apache feather logo, and the Apache Qpid
+ project logo are trademarks of The Apache Software
+ Foundation; All other marks mentioned may be trademarks or
+ registered trademarks of their respective owners
+ CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented
+
+Severity
+
+Affected components
+
+Affected versions
+
+Fixed versions
+
+Description
+
+Resolution
+
+Mitigation
+
+References
+
+
+
+Credit
+
+
+
+
+
+ Security - Proton-J
+
+
+
+
+
+
+
+
+
+CVE-ID
+ Severity
+ Affected versions
+ Fixed versions
+ Summary
+
+
+
+CVE-2018-17187
+ Important
+ 0.3 to 0.29.0 inclusive
+ 0.30.0 and later
+ Transport TLS wrapper hostname verification mode not implemented
+
+
+
+
+
For more information about this release, including download links and documentation, see the release overview.
+Note: This release addresses security issue CVE-2018-17187, around hostname verification mode not being implemented in the optional transport TLS wrapper. Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.
+