RedHat: RHSA-2020-4211:01 Moderate: Red Hat AMQ Interconnect 1.9.0 release
Summary
Red Hat AMQ Interconnect is a component of the AMQ 7 product family. AMQ
Interconnect provides flexible routing of messages between AMQP-enabled
endpoints, whether they are clients, servers, brokers, or any other entity
that can send or receive standard AMQP messages.
This release of Red Hat AMQ Interconnect 1.9.0 serves as a replacement for
Red Hat AMQ Interconnect 1.8.0 and includes security and bug fixes, and
enhancements. For further information, refer to the release notes linked
to in the References section.
Security Fix(es):
* jQuery: allows XSS via the load method (CVE-2020-7656)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* jQuery: passing HTML containing
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-7656 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.interconnect&downloadType=distributions&version=1.9.0 https://access.redhat.com/documentation/en-us/red_hat_amq/
Package List
6ComputeNode-RH6-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el6_10.src.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el6_10.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el6_10.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el6_10.x86_64.rpm
6Server-RH6-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el6_10.src.rpm
i386:
qpid-dispatch-debuginfo-1.13.0-3.el6_10.i686.rpm
qpid-dispatch-router-1.13.0-3.el6_10.i686.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el6_10.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el6_10.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el6_10.x86_64.rpm
6Workstation-RH6-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el6_10.src.rpm
i386:
qpid-dispatch-debuginfo-1.13.0-3.el6_10.i686.rpm
qpid-dispatch-router-1.13.0-3.el6_10.i686.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el6_10.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el6_10.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el6_10.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el6_10.x86_64.rpm
7ComputeNode-RH7-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el7.src.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el7.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el7.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el7.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el7.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el7.x86_64.rpm
7Server-RH7-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el7.src.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el7.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el7.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el7.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el7.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el7.x86_64.rpm
7Workstation-RH7-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el7.src.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el7.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el7.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el7.noarch.rpm
x86_64:
qpid-dispatch-debuginfo-1.13.0-3.el7.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el7.x86_64.rpm
8Base-A-MQ-Interconnect-1:
Source:
qpid-dispatch-1.13.0-3.el8.src.rpm
noarch:
qpid-dispatch-console-1.13.0-3.el8.noarch.rpm
qpid-dispatch-docs-1.13.0-3.el8.noarch.rpm
qpid-dispatch-tools-1.13.0-3.el8.noarch.rpm
x86_64:
qpid-dispatch-debugsource-1.13.0-3.el8.x86_64.rpm
qpid-dispatch-router-1.13.0-3.el8.x86_64.rpm
qpid-dispatch-router-debuginfo-1.13.0-3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
Red Hat AMQ Interconnect 1.9.0 release packages are available for A-MQInterconnect on RHEL 6, 7, and 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
6ComputeNode-RH6-A-MQ-Interconnect-1 - noarch, x86_64
6Server-RH6-A-MQ-Interconnect-1 - i386, noarch, x86_64
6Workstation-RH6-A-MQ-Interconnect-1 - i386, noarch, x86_64
7ComputeNode-RH7-A-MQ-Interconnect-1 - noarch, x86_64
7Server-RH7-A-MQ-Interconnect-1 - noarch, x86_64
7Workstation-RH7-A-MQ-Interconnect-1 - noarch, x86_64
8Base-A-MQ-Interconnect-1 - noarch, x86_64
Bugs Fixed
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jQuery: passing HTML containing
1850119 - CVE-2020-7656 jQuery: allows XSS via the load method
6. JIRA issues fixed (https://issues.redhat.com/):
ENTMQIC-2448 - Allow specifying address/source/target to be used for a multitenant listener
ENTMQIC-2455 - Allow AMQP open properties to be supplemented from connector configuration
ENTMQIC-2460 - Adding new config address, autolinks and link routes become slower as more get added
ENTMQIC-2481 - Unable to delete listener with http enabled
ENTMQIC-2485 - The VhostNamePatterns does not work in OCP env
ENTMQIC-2492 - router drops TransactionalState on produced messages on link routes