Skip to navigation

Security Advisory Moderate: Red Hat Enterprise MRG Messaging 2.1 security and enhancement update

Advisory: RHSA-2012:0528-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-04-30
Last updated on: 2012-04-30
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)
CVEs (cve.mitre.org): CVE-2011-3620

Details

Updated Messaging packages that resolve one security issue, fix multiple
bugs, and add various enhancements are now available for Red Hat Enterprise
MRG 2.1 for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

MRG Messaging is a high-speed reliable messaging distribution for Linux
based on AMQP (Advanced Message Queuing Protocol), an open protocol
standard for enterprise messaging that is designed to make mission critical
messaging widely available as a standard service, and to make enterprise
messaging interoperable across platforms, programming languages, and
vendors. MRG Messaging includes an AMQP 0-10 messaging broker; AMQP 0-10
client libraries for C++, Java JMS, and Python; as well as persistence
libraries and management tools.

It was found that Qpid accepted any password or SASL mechanism, provided
the remote user knew a valid cluster username. This could give a remote
attacker unauthorized access to the cluster, exposing cluster messages and
internal Qpid/MRG configurations. (CVE-2011-3620)

Note: If you are using an ACL, the cluster-username must be allowed to
publish to the qpid.cluster-credentials exchange. For example, if your
cluster-username is "foo", in your ACL file:

acl allow foo@QPID publish exchange name=qpid.cluster-credentials

The CVE-2011-3620 fix changes the cluster initialization protocol. As such,
the cluster with all new version brokers must be restarted for the changes
to take effect. Refer below for details.

These updated packages provide numerous enhancements and bug fixes for the
Messaging component of MRG. Space precludes documenting all of these
changes in this advisory. Documentation for these changes will be available
shortly in the Technical Notes document linked to in the References
section.

All users of the Messaging capabilities of Red Hat Enterprise MRG 2.1 are
advised to upgrade to these updated packages, which resolve the issues and
add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes.
After installing the updated packages, stop the cluster by either running
"service qpidd stop" on all nodes, or "qpid-cluster --all-stop" on any one
of the cluster nodes. Once stopped, restart the cluster with
"service qpidd start" on all nodes for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

SRPMS:
condor-7.6.5-0.14.el6.src.rpm
File outdated by:  RHSA-2013:1294
    MD5: 1fcc0a653d6686cd5a6fe49b8d4c12d3
SHA-256: 273ea166579e099fa6c95f4d2202a7d06eedf9106f399908ddba497ee159ef5e
qpid-cpp-0.14-14.el6_2.src.rpm
File outdated by:  RHBA-2014:0130
    MD5: 5bf1683f5e15d15891b801cbab21e96e
SHA-256: 2ca2e11a8a548cfecac36c989132082de0947c5ac663b39fd901a3d48f2323d2
qpid-java-0.14-3.el6.src.rpm
File outdated by:  RHSA-2013:1024
    MD5: 56f8b70a7d4a75618664dedec580a798
SHA-256: f9444ab02da57ec30de1507aaa405c6340f2ee7bb4e9d63944300ab3626ffbad
qpid-jca-0.14-9.el6.src.rpm
File outdated by:  RHSA-2013:0562
    MD5: bb5d6700ec591662c5e60c0c9646b625
SHA-256: a2ecd04531e67ed70bc7a0f9d7f114c82553b6b6818dfe6e5dcbdf035e1ce1c5
qpid-qmf-0.14-7.el6_2.src.rpm
File outdated by:  RHBA-2014:0130
    MD5: 36e56bc445bce69205e1d9ba6c975c11
SHA-256: e1a7e7920da68e050563eaf498945cf97becd229f77389d66d23ebaac370ac81
sesame-1.0-5.el6.src.rpm
File outdated by:  RHSA-2013:0565
    MD5: 67ca817c9be16e2746aad401ee5afa4e
SHA-256: 9cb74b2f77250ac7febec6af34bca20be6aa055981c16406731de5de20af63c0
 
IA-32:
condor-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: c25444babc745d747bcf7e2caa7ce18f
SHA-256: b9c2a7d3f4bffd6c563c85bb660d531484d5e3d96dff570906fe736a1443e9a9
condor-aviary-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: 6ffed9cea3cd55214215b5ed4d3402d0
SHA-256: 484714a5a7bf1123e87c6ec4bc639a0cdb0d0cfca593d3ee98f1ea1287864e30
condor-classads-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: eb956f26a5e9a0c36111d50b5730fdf9
SHA-256: e22613996f220feda35933cd0b9542563d0b16456eabb5b0fe4381b3bb47730a
condor-debuginfo-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: d07c1e3f3cf52b710c54f828121ba685
SHA-256: e14f57e3c37023e3032bea95b37e8cf4438c4e79f64f3c5d3134c3c17efa7e9c
condor-kbdd-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: 7bf0e31882548ce82aa9c1270846f8c1
SHA-256: 2a3993d490a5cc3d19d1946f6be6d3316c4b957afeca1f88378a3a793ff188fa
condor-plumage-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: d1b43ccdeffeec260767bb6ce6cdb139
SHA-256: 3718355f2bc1e578e3ef46a1c2a846405fb59a7d5efc8dbfebe4c63414f95efd
condor-qmf-7.6.5-0.14.el6.i686.rpm
File outdated by:  RHSA-2013:1294
    MD5: d32fd759229c8848a6516f37db8af8e4
SHA-256: 7d296baa4bae56c399400063ceebf76c77b5f787744d38bdf12cf36ce6879e93
qpid-cpp-client-devel-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 607eabd705bbd03eeda45d6bb197573a
SHA-256: 41b2b7520426ed2bf00cd676629357766260825c8233aa1a51e17673e569e01a
qpid-cpp-client-devel-docs-0.14-14.el6_2.noarch.rpm
File outdated by:  RHBA-2014:0130
    MD5: a9a704abd6accdb147977ff9481191dd
SHA-256: 1795b4d5192aa489a5f2b7e6901f0be8c8e09bc4a2c61598d56f3d717cafb86b
qpid-cpp-client-rdma-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 19fb257fa7ab84d6fb39521ddccea246
SHA-256: eb99ae4a9dc4d5a8865a5447050a12cc69247d52f8d0df0af001e45ec6fd3b98
qpid-cpp-debuginfo-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: d89bde73bd6cd9d6f3d309041ee9aba9
SHA-256: 9b2ed357862840f13b808981062eeb16b4d917b4a558a06fbb47979761b2d33a
qpid-cpp-server-cluster-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 7e4be1f915b959a2c42c2c504d7d22f5
SHA-256: 44b193d8ab178e5153dbc346aaa649946f4f79dbe88ddaad40d62c0a1574f406
qpid-cpp-server-devel-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 74c7f12d15e0d7dbc42378f0d56abbb9
SHA-256: 1a8d753790fa8ada46e2240cc2a8b30c36417d327b8e0a00afbe16da218a2638
qpid-cpp-server-rdma-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: cdcec6bbc3003ddbac105b328ba5c194
SHA-256: 15d88fbf9c56ec56062d23912da4e883f4214aa26f8ab179dd2423f7ed1524ed
qpid-cpp-server-store-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 76ae5b229fb89a5a2d2e27a6e9701e1c
SHA-256: d0bdf2c2e3b45f9f1c6178cc99ed57f662a35dc646bf3ea6125657caf5d0a42f
qpid-cpp-server-xml-0.14-14.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: fd7372498e723963b8939b41bec312df
SHA-256: b92d2d3232db187dba4f5b015769b36ef9d805e9de459a5dbaf286ffe03da978
qpid-java-client-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: 3de059cedeb3e726ed5382cf70e258b2
SHA-256: 74004b69f3ad27a8ed65c0a49afbe9dba0643d0d2c5bbe4813a9f67096d1325e
qpid-java-common-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: ca6ab8061e8941d61786a4774e4e520c
SHA-256: 1a1b904d07e21dcce04b91be47af41e22d6cc1b13df7eec42c7089a3ab9da617
qpid-java-example-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: a6425c6b2d92806038a62bfa4bd08a42
SHA-256: 13bac7fa258babbe2028076da152a444d8af9088ec46232ba92e59cf9302b302
qpid-jca-0.14-9.el6.noarch.rpm
File outdated by:  RHSA-2013:0562
    MD5: 5577e6e8a0561edd8b7619897f7c6f5c
SHA-256: aa103a67c4a899bfc0e0ce3c96d36958440523cfbda220b11c04cc5c2d91ab8e
qpid-jca-xarecovery-0.14-9.el6.noarch.rpm
File outdated by:  RHSA-2013:0562
    MD5: 09f6b07c3e3729d78d64b1bcf7623d71
SHA-256: f351f622eddc9389b7744fdd3049e2fc770b869cea927b2a1154dc280ec2f2af
qpid-qmf-debuginfo-0.14-7.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: 5bec608f80eeeb8f213e1d08af1b65fb
SHA-256: 8fb04cb52bfca22e2ca03770be487584e9f20e130702be53d17efd90a7a90cda
qpid-qmf-devel-0.14-7.el6_2.i686.rpm
File outdated by:  RHBA-2014:0130
    MD5: d5560212765cb7c6ac151e2901125142
SHA-256: da7e076ce0794a49a207d79065e0578c7dc1e6970c02e2eb25d2347a69bf4ae2
sesame-1.0-5.el6.i686.rpm
File outdated by:  RHSA-2013:0565
    MD5: 40922756106222053b7a56e0c7ec21d1
SHA-256: 43386d83b6c96f5fc42990603c0ef9024a6f04aec433c4338513543c708c8fff
sesame-debuginfo-1.0-5.el6.i686.rpm
File outdated by:  RHSA-2013:0565
    MD5: e26f7e23779cf65496ad4c38b17c5ec1
SHA-256: 0036013ad7298e8a57153919c13e26d70311b5ff2036104dc6989aa3b5146c4a
 
x86_64:
condor-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: 6fe05c6e233a6f4a8a9680a893b4b3d6
SHA-256: fac2d6cae2a82aa19ce44842bfa25e65b243ba965d45eee8f9602f7271cbab9c
condor-aviary-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: 4836e123d9c72b671df1e7218edb6de2
SHA-256: 73ea95509fa3a34f87669f3fbb8b2bcf06639a112ae6f340d0150dd80fdf52d1
condor-classads-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: 16a8c398901a7e7ff67c80fd4c3514b2
SHA-256: 7ee18d819e9bfd2099331cf0e162538c14fcba08a7df0a083c130ead61e72512
condor-debuginfo-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: f5a349f5e6f07ff86951aeaa0b434a44
SHA-256: e53e00ee6efce805d044f950659189908b0007fa5cd84f4134e8bdca6bc822cc
condor-kbdd-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: 4a3e12ac8404747f3538daa534e9f27e
SHA-256: c5bfc58876f14b18fc4b7766356c65239f4f59e18b1865227e0d232aee071fa2
condor-plumage-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: fdd526d77af9a676cc1f5869c8085934
SHA-256: cace04f3fc4783341592d8bb4e3ea65a2b1ca52f62ea314f5da7cf92fc291eb9
condor-qmf-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: 1a903c154d44ea395d1e727d1ab3b17f
SHA-256: bbcfe1e5c2d28efe895750cf897721d1766f41970b6268c60aec2aff36c04167
condor-vm-gahp-7.6.5-0.14.el6.x86_64.rpm
File outdated by:  RHSA-2013:1294
    MD5: a68b6b348142ca3ef781548128e035b5
SHA-256: 0720ee75f2c333b0d56e2aded5617bca2e74dfb7b1222a4ea9f85b48d015b1cd
qpid-cpp-client-devel-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: f72f9274cb793eed86c00a9fa3a12b81
SHA-256: 8d2a49c4634c0e4dae7701e403b475c12c928dbe4c7a3bb61fca3fecd5c5c24e
qpid-cpp-client-devel-docs-0.14-14.el6_2.noarch.rpm
File outdated by:  RHBA-2014:0130
    MD5: a9a704abd6accdb147977ff9481191dd
SHA-256: 1795b4d5192aa489a5f2b7e6901f0be8c8e09bc4a2c61598d56f3d717cafb86b
qpid-cpp-client-rdma-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 3be5b9ea45387c3b13e89cd332d7429f
SHA-256: 27b85d2082a88c8ae03e28b05dbdfbd99fc92bee9aec9d509f13985d8e583603
qpid-cpp-debuginfo-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 763c00846ac956cae492b66f2c5b7cc2
SHA-256: bb64aa5961ad36b146f76e94dc6f708285a32a5e10d54cf2b68c5a58b477acdf
qpid-cpp-server-cluster-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 65313549bd3742e69002d4f392fcb5a4
SHA-256: 0b0bda7c86ccb72127a193a852044d1ed2b104069071a2b3fd3d9192ae9e4d6d
qpid-cpp-server-devel-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 87e3107742084f553cc04a888cb25511
SHA-256: b608741f08ffec4438884aecf20a5482c2d6d6ad50370039ca1b671f1036e1a2
qpid-cpp-server-rdma-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 2886216ffce128f186b4f9db63cba46c
SHA-256: 0eb826357bf4aefad93aedff92aeb2c5ff833f858d2690a59013e46fbb1bb382
qpid-cpp-server-store-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 4d32067b33b3c5db4144f27811602fe4
SHA-256: 683779e20c3afdaaae477290fb1217f87c89ec364d9099201e22d1f6aa012f19
qpid-cpp-server-xml-0.14-14.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: a100eb80e8fb90efe8933262d56bb58d
SHA-256: 8ba0b89bf979f80c9a05f4f61e9e645b7ea3822528ba68d16a6bcd6090be35ee
qpid-java-client-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: 3de059cedeb3e726ed5382cf70e258b2
SHA-256: 74004b69f3ad27a8ed65c0a49afbe9dba0643d0d2c5bbe4813a9f67096d1325e
qpid-java-common-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: ca6ab8061e8941d61786a4774e4e520c
SHA-256: 1a1b904d07e21dcce04b91be47af41e22d6cc1b13df7eec42c7089a3ab9da617
qpid-java-example-0.14-3.el6.noarch.rpm
File outdated by:  RHSA-2013:1024
    MD5: a6425c6b2d92806038a62bfa4bd08a42
SHA-256: 13bac7fa258babbe2028076da152a444d8af9088ec46232ba92e59cf9302b302
qpid-jca-0.14-9.el6.noarch.rpm
File outdated by:  RHSA-2013:0562
    MD5: 5577e6e8a0561edd8b7619897f7c6f5c
SHA-256: aa103a67c4a899bfc0e0ce3c96d36958440523cfbda220b11c04cc5c2d91ab8e
qpid-jca-xarecovery-0.14-9.el6.noarch.rpm
File outdated by:  RHSA-2013:0562
    MD5: 09f6b07c3e3729d78d64b1bcf7623d71
SHA-256: f351f622eddc9389b7744fdd3049e2fc770b869cea927b2a1154dc280ec2f2af
qpid-qmf-debuginfo-0.14-7.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: 509573d468e1b4a9fef50abd89962e22
SHA-256: 42fa85f1b5d116e46a5692ae04bd494b937fcb25ac4fe56c521767e00af288e8
qpid-qmf-devel-0.14-7.el6_2.x86_64.rpm
File outdated by:  RHBA-2014:0130
    MD5: ebe71b5cc290ed4ba7baca9961f65741
SHA-256: e0a80790ccec1092271099247ca0f42f97bd4fe7efb7d03903ca50eaf48d5063
sesame-1.0-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:0565
    MD5: c64c0788080ff878819b2fc97da01b85
SHA-256: 99db6b823dd780259d9078e34996ddcba4564878d2e02db55a5d2a50090cb64a
sesame-debuginfo-1.0-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:0565
    MD5: 967e67e87c78ac4135a48008c2539659
SHA-256: ceff6449e67d04845f7f8eec561e1badc02661bd2091e937b556d7a151c04b02
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

747078 - CVE-2011-3620 qpid-cpp: cluster authentication ignores cluster-* settings


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/