Skip to navigation

Security Advisory Moderate: Red Hat Enterprise MRG Messaging security and bug fix update 1.2.2

Advisory: RHSA-2010:0757-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-10-07
Last updated on: 2010-10-07
Affected Products: Red Hat Enterprise MRG v1 for Enterprise Linux AS (version 4)
Red Hat Enterprise MRG v1 for Enterprise Linux ES (version 4)
CVEs (cve.mitre.org): CVE-2010-3083
CVE-2010-3701

Details

Updated Red Hat Enterprise MRG Messaging packages that fix two security
issues and several bugs are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat Enterprise MRG (Messaging, Realtime and Grid) is a real-time IT
infrastructure for enterprise computing. MRG Messaging implements the
Advanced Message Queuing Protocol (AMQP) standard, adding persistence
options, kernel optimizations, and operating system services.

A flaw was found in the way SSL connections to the MRG Messaging broker
were handled. A connection (from a user or client application) to the
broker's SSL port would prevent the broker from responding to any other
connections on that port, until the first connection's SSL handshake
completed or failed. A remote user could use this flaw to block connections
from legitimate clients. Note that this issue only affected connections to
the SSL port. The broker does not listen for SSL connections by default.
(CVE-2010-3083)

A flaw was found in the way the MRG Messaging broker handled the receipt of
large persistent messages. If a remote, authenticated user sent a very
large persistent message, the broker could exhaust stack memory, causing
the broker to crash. (CVE-2010-3701)

This update also includes a number of MRG Messaging bug fixes, including
updated qpidc and rhm packages:

* The Messaging broker failed when first a new durable exchange was
supplied by a plug-in, and then the broker was restarted. The startup
sequence has been reordered so that the plug-in modules are loaded before
the store is recovered. With this update, the new exchange is now
recognized and recovered successfully and the broker starts up. (BZ#550151)

* qpid-route could not delete an existing route due to a problem with the
management object for the bridge. With this update, qpid-route follows the
normal path. (BZ#560696)

* Previously, clients connecting over SSL needed to use some other username
to authenticate themselves to have permission granted via ACLs. This update
adds the option to use the client identity as authenticated by SSL.
(BZ#601222)

* New brokers did not see a durable exchange even though it existed in a
cluster. This update checks for any durable exchanges to be replicated when
a new broker is added to the cluster. Now, the exchange is visible on the
new broker. (BZ#601230)

* Cluster members occasionally failed when a new member was added to a
cluster with active consumers, because some of the consumer information was
not being replicated to new members joining a cluster. With this update,
the missing information is replicated to new members when joining a
cluster. (BZ#601236)

* Performance decreased when reading messages from a queue sequentially
without taking them off the queue. With this update, the algorithm for
traversing through messages has been changed, and the next message is found
more quickly, even for large queues. (BZ#611907)

* Wire level protocol violation or segmentation faults occurred when adding
tags due to possible modification of the message concurrent with its
encoding. This update clones messages before adding tags to prevent
concurrent modification as they are being delivered and encoded.
(BZ#619919)

All Red Hat Enterprise MRG users are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the qpidd service must be restarted ("service qpidd restart") for
this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise MRG v1 for Enterprise Linux AS (version 4)

SRPMS:
qpidc-0.5.752581-42.el4.src.rpm
File outdated by:  RHBA-2011:0218
    MD5: ee0e310df0cfb9a0929e89f88ffd9843
SHA-256: 4a95eb2caf229ab17ebf0fa58b9a5a1448d2cb7528104652db94de1a8a450787
rhm-0.5.3206-36.el4.src.rpm     MD5: 69aec5b0effe998d441c2cdbe808f1d6
SHA-256: c7eeee7d0cc728414dfd59e42556cac95013834595ff72d1c989a8e3196eba25
 
IA-32:
qmf-0.5.752581-42.el4.i386.rpm
File outdated by:  RHBA-2011:0218
    MD5: e19f17ad9df7fbe2b51af70b657fb9f9
SHA-256: b4b48d0e85fd13dae34baaa80641c881a7d372d32b4a2a190855e530b20c83d8
qmf-devel-0.5.752581-42.el4.i386.rpm
File outdated by:  RHBA-2011:0218
    MD5: ca4cfa3707a66798a4131ba69054bbdd
SHA-256: d95aed846cf227d3e89ca9bca4d46b57f3fb493957ca78182181221085361538
qpidc-0.5.752581-42.el4.i386.rpm     MD5: b85fe60f51750d7dffc727a7f86b6fe4
SHA-256: 2de88d164ad633369bda20efb650830def34179471ead8e5654b9d7770679c37
qpidc-devel-0.5.752581-42.el4.i386.rpm     MD5: 3624b47fc253de2b724f6936b28611dd
SHA-256: ce16a7bb98ce90a01a0e3d51e055d75fc9a2f2344a86bdefc1eb1238adb81f1f
qpidc-perftest-0.5.752581-42.el4.i386.rpm     MD5: 137b6f2120e6636065110a21e479c308
SHA-256: 1112a7019eceb4b176e44d8bf45220dd72e7099f726757c6ebdac4c303b350ce
qpidc-ssl-0.5.752581-42.el4.i386.rpm     MD5: a07f74980275591eb8a2f1127fa8eb6b
SHA-256: ffe614fb8262925f44dd4f5a970f6e0874567ad8d0091c27e0a6b7e9df767f04
qpidd-0.5.752581-42.el4.i386.rpm     MD5: cd7803189d3e72ac06d572bf14df4b2c
SHA-256: 25bd67b2814915465ae32c733cf53070b9ed37a1c019ae184db38f1b74950296
qpidd-acl-0.5.752581-42.el4.i386.rpm     MD5: d6f4eaa5ed713847e21b83fa62be3d9e
SHA-256: 5addbf09bea11c3ea8b4cc7124edd35c5634f939eca17f67e7eef87350efe236
qpidd-devel-0.5.752581-42.el4.i386.rpm     MD5: e5737ba26aeb3af33b61103b8d4c9c26
SHA-256: 9e22e78a8c063d27315b224b2247a6e74b8a0bb1764a98a388b6e6cd4673d250
qpidd-ssl-0.5.752581-42.el4.i386.rpm     MD5: 5dbfc590713a322f99a70e14a40b15d1
SHA-256: 12d82ca30a70e6582a3fb8432679d87594a48e59eed95467ce593f17232c9399
qpidd-xml-0.5.752581-42.el4.i386.rpm     MD5: 2770757c0dbdb881e0a5277889776b31
SHA-256: b24ed7481da8f3e1004e275c798aacc7b6f9722af3589d09a311f704cbd44e97
rhm-0.5.3206-36.el4.i386.rpm     MD5: 6db74fc3458f0a0d8ca6ed84cd88aed4
SHA-256: 0a82d86f5e737478f51b345b92bd338a7418ca532c555e4c646901a41b2b72d3
 
x86_64:
qmf-0.5.752581-42.el4.x86_64.rpm
File outdated by:  RHBA-2011:0218
    MD5: cfdc15b8424c028588927f40abf61dd2
SHA-256: 563ce733f0b15a858394d4cc1a04b073f8ba7b36919eb8227a6bbb016e6a3549
qmf-devel-0.5.752581-42.el4.x86_64.rpm
File outdated by:  RHBA-2011:0218
    MD5: 067cc009601a430db52a4d75bf92c3c4
SHA-256: cc231fff11f64edbe6873b38a835941101865772d1a3d08a9e67e163759d7c4c
qpidc-0.5.752581-42.el4.x86_64.rpm     MD5: ab5797016e2bb4047ed61fc7d00f0e0a
SHA-256: 1adeb7ec70309331535534b26e38606e5d3bb34e40c642127c567414db94e552
qpidc-devel-0.5.752581-42.el4.x86_64.rpm     MD5: 7b48fda3bf4c6bef09653acfa985bc59
SHA-256: 7c32eb0543d312e0f50352171218735993ade904181ee0503fe0bdebed605b8f
qpidc-perftest-0.5.752581-42.el4.x86_64.rpm     MD5: b8fe3306345e2717b38a0f88e0a10e86
SHA-256: 438c571f1208424ee2f0b87b17990e72adab2df35079c0bbeb7f4855df7ab73c
qpidc-ssl-0.5.752581-42.el4.x86_64.rpm     MD5: a4f7c37d5175ac472f31c7218fc77870
SHA-256: 681b6ba4e3876d2cc6213ed5d52c167d112f95224a1261be434f6a562ec822ea
qpidd-0.5.752581-42.el4.x86_64.rpm     MD5: 5e403e1e096ec50b7c03acb3ac582bf1
SHA-256: c20b505ecb9b48b950a065dbf92ab5712b0caefb6002fdc1e5a11aa7adfdad23
qpidd-acl-0.5.752581-42.el4.x86_64.rpm     MD5: 12981a42a107f39aefdf5adc59bd1326
SHA-256: 3bc6666882785e670e482cce18ee3f4da30c4655cc9f22b3f376ed3e1af0c6a1
qpidd-devel-0.5.752581-42.el4.x86_64.rpm     MD5: 0400568622cef809ed7c78f23a25e4b2
SHA-256: 8210308c95582f7a65d18f9059ab363ae2ea34aa50832fff4381a3c3004cffb2
qpidd-ssl-0.5.752581-42.el4.x86_64.rpm     MD5: 8abf162920fd311c6db7f36841baf678
SHA-256: 90e75213e0ad0dc6824cac80c0600d7afdda80b149fbfdda7f7410f6879a9813
qpidd-xml-0.5.752581-42.el4.x86_64.rpm     MD5: 1f120160a8b1e0aeed4bee6837a57aaf
SHA-256: cd14e5ffbfb99e3b7a5340e9244bd9fda091f5798e192079d8321a96db330663
rhm-0.5.3206-36.el4.x86_64.rpm     MD5: 918e4327ac14ea6506143f582325ee82
SHA-256: dfc98135a382adbdfaf928e014295a6800b49a3a085d71c87bd079348f07093b
 
Red Hat Enterprise MRG v1 for Enterprise Linux ES (version 4)

SRPMS:
qpidc-0.5.752581-42.el4.src.rpm
File outdated by:  RHBA-2011:0218
    MD5: ee0e310df0cfb9a0929e89f88ffd9843
SHA-256: 4a95eb2caf229ab17ebf0fa58b9a5a1448d2cb7528104652db94de1a8a450787
rhm-0.5.3206-36.el4.src.rpm     MD5: 69aec5b0effe998d441c2cdbe808f1d6
SHA-256: c7eeee7d0cc728414dfd59e42556cac95013834595ff72d1c989a8e3196eba25
 
IA-32:
qmf-0.5.752581-42.el4.i386.rpm
File outdated by:  RHBA-2011:0218
    MD5: e19f17ad9df7fbe2b51af70b657fb9f9
SHA-256: b4b48d0e85fd13dae34baaa80641c881a7d372d32b4a2a190855e530b20c83d8
qmf-devel-0.5.752581-42.el4.i386.rpm
File outdated by:  RHBA-2011:0218
    MD5: ca4cfa3707a66798a4131ba69054bbdd
SHA-256: d95aed846cf227d3e89ca9bca4d46b57f3fb493957ca78182181221085361538
qpidc-0.5.752581-42.el4.i386.rpm     MD5: b85fe60f51750d7dffc727a7f86b6fe4
SHA-256: 2de88d164ad633369bda20efb650830def34179471ead8e5654b9d7770679c37
qpidc-devel-0.5.752581-42.el4.i386.rpm     MD5: 3624b47fc253de2b724f6936b28611dd
SHA-256: ce16a7bb98ce90a01a0e3d51e055d75fc9a2f2344a86bdefc1eb1238adb81f1f
qpidc-perftest-0.5.752581-42.el4.i386.rpm     MD5: 137b6f2120e6636065110a21e479c308
SHA-256: 1112a7019eceb4b176e44d8bf45220dd72e7099f726757c6ebdac4c303b350ce
qpidc-ssl-0.5.752581-42.el4.i386.rpm     MD5: a07f74980275591eb8a2f1127fa8eb6b
SHA-256: ffe614fb8262925f44dd4f5a970f6e0874567ad8d0091c27e0a6b7e9df767f04
qpidd-0.5.752581-42.el4.i386.rpm     MD5: cd7803189d3e72ac06d572bf14df4b2c
SHA-256: 25bd67b2814915465ae32c733cf53070b9ed37a1c019ae184db38f1b74950296
qpidd-acl-0.5.752581-42.el4.i386.rpm     MD5: d6f4eaa5ed713847e21b83fa62be3d9e
SHA-256: 5addbf09bea11c3ea8b4cc7124edd35c5634f939eca17f67e7eef87350efe236
qpidd-devel-0.5.752581-42.el4.i386.rpm     MD5: e5737ba26aeb3af33b61103b8d4c9c26
SHA-256: 9e22e78a8c063d27315b224b2247a6e74b8a0bb1764a98a388b6e6cd4673d250
qpidd-ssl-0.5.752581-42.el4.i386.rpm     MD5: 5dbfc590713a322f99a70e14a40b15d1
SHA-256: 12d82ca30a70e6582a3fb8432679d87594a48e59eed95467ce593f17232c9399
qpidd-xml-0.5.752581-42.el4.i386.rpm     MD5: 2770757c0dbdb881e0a5277889776b31
SHA-256: b24ed7481da8f3e1004e275c798aacc7b6f9722af3589d09a311f704cbd44e97
rhm-0.5.3206-36.el4.i386.rpm     MD5: 6db74fc3458f0a0d8ca6ed84cd88aed4
SHA-256: 0a82d86f5e737478f51b345b92bd338a7418ca532c555e4c646901a41b2b72d3
 
x86_64:
qmf-0.5.752581-42.el4.x86_64.rpm
File outdated by:  RHBA-2011:0218
    MD5: cfdc15b8424c028588927f40abf61dd2
SHA-256: 563ce733f0b15a858394d4cc1a04b073f8ba7b36919eb8227a6bbb016e6a3549
qmf-devel-0.5.752581-42.el4.x86_64.rpm
File outdated by:  RHBA-2011:0218
    MD5: 067cc009601a430db52a4d75bf92c3c4
SHA-256: cc231fff11f64edbe6873b38a835941101865772d1a3d08a9e67e163759d7c4c
qpidc-0.5.752581-42.el4.x86_64.rpm     MD5: ab5797016e2bb4047ed61fc7d00f0e0a
SHA-256: 1adeb7ec70309331535534b26e38606e5d3bb34e40c642127c567414db94e552
qpidc-devel-0.5.752581-42.el4.x86_64.rpm     MD5: 7b48fda3bf4c6bef09653acfa985bc59
SHA-256: 7c32eb0543d312e0f50352171218735993ade904181ee0503fe0bdebed605b8f
qpidc-perftest-0.5.752581-42.el4.x86_64.rpm     MD5: b8fe3306345e2717b38a0f88e0a10e86
SHA-256: 438c571f1208424ee2f0b87b17990e72adab2df35079c0bbeb7f4855df7ab73c
qpidc-ssl-0.5.752581-42.el4.x86_64.rpm     MD5: a4f7c37d5175ac472f31c7218fc77870
SHA-256: 681b6ba4e3876d2cc6213ed5d52c167d112f95224a1261be434f6a562ec822ea
qpidd-0.5.752581-42.el4.x86_64.rpm     MD5: 5e403e1e096ec50b7c03acb3ac582bf1
SHA-256: c20b505ecb9b48b950a065dbf92ab5712b0caefb6002fdc1e5a11aa7adfdad23
qpidd-acl-0.5.752581-42.el4.x86_64.rpm     MD5: 12981a42a107f39aefdf5adc59bd1326
SHA-256: 3bc6666882785e670e482cce18ee3f4da30c4655cc9f22b3f376ed3e1af0c6a1
qpidd-devel-0.5.752581-42.el4.x86_64.rpm     MD5: 0400568622cef809ed7c78f23a25e4b2
SHA-256: 8210308c95582f7a65d18f9059ab363ae2ea34aa50832fff4381a3c3004cffb2
qpidd-ssl-0.5.752581-42.el4.x86_64.rpm     MD5: 8abf162920fd311c6db7f36841baf678
SHA-256: 90e75213e0ad0dc6824cac80c0600d7afdda80b149fbfdda7f7410f6879a9813
qpidd-xml-0.5.752581-42.el4.x86_64.rpm     MD5: 1f120160a8b1e0aeed4bee6837a57aaf
SHA-256: cd14e5ffbfb99e3b7a5340e9244bd9fda091f5798e192079d8321a96db330663
rhm-0.5.3206-36.el4.x86_64.rpm     MD5: 918e4327ac14ea6506143f582325ee82
SHA-256: dfc98135a382adbdfaf928e014295a6800b49a3a085d71c87bd079348f07093b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

632657 - CVE-2010-3083 MRG: SSL connections to MRG broker can be blocked
639054 - Build 1.2.2 release for RHEL-4 errata
640006 - CVE-2010-3701 MRG: remote authenticated DoS in broker


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/