-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: librabbitmq security update
Advisory ID:       RHSA-2020:4445-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4445
Issue date:        2020-11-03
CVE Names:         CVE-2019-18609 
====================================================================
1. Summary:

An update for librabbitmq is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The librabbitmq packages provide an Advanced Message Queuing Protocol
(AMQP) client library that allows you to communicate with AMQP serversusing protocol version 0-9-1.

Security Fix(es):

* librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c
leads to heap-based buffer overflow (CVE-2019-18609)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1786646 - CVE-2019-18609 librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
librabbitmq-0.9.0-2.el8.src.rpm

aarch64:
librabbitmq-0.9.0-2.el8.aarch64.rpm
librabbitmq-debuginfo-0.9.0-2.el8.aarch64.rpm
librabbitmq-debugsource-0.9.0-2.el8.aarch64.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.aarch64.rpm

ppc64le:
librabbitmq-0.9.0-2.el8.ppc64le.rpm
librabbitmq-debuginfo-0.9.0-2.el8.ppc64le.rpm
librabbitmq-debugsource-0.9.0-2.el8.ppc64le.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.ppc64le.rpm

s390x:
librabbitmq-0.9.0-2.el8.s390x.rpm
librabbitmq-debuginfo-0.9.0-2.el8.s390x.rpm
librabbitmq-debugsource-0.9.0-2.el8.s390x.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.s390x.rpm

x86_64:
librabbitmq-0.9.0-2.el8.i686.rpm
librabbitmq-0.9.0-2.el8.x86_64.rpm
librabbitmq-debuginfo-0.9.0-2.el8.i686.rpm
librabbitmq-debuginfo-0.9.0-2.el8.x86_64.rpm
librabbitmq-debugsource-0.9.0-2.el8.i686.rpm
librabbitmq-debugsource-0.9.0-2.el8.x86_64.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.i686.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:
librabbitmq-debuginfo-0.9.0-2.el8.aarch64.rpm
librabbitmq-debugsource-0.9.0-2.el8.aarch64.rpm
librabbitmq-devel-0.9.0-2.el8.aarch64.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.aarch64.rpm

ppc64le:
librabbitmq-debuginfo-0.9.0-2.el8.ppc64le.rpm
librabbitmq-debugsource-0.9.0-2.el8.ppc64le.rpm
librabbitmq-devel-0.9.0-2.el8.ppc64le.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.ppc64le.rpm

s390x:
librabbitmq-debuginfo-0.9.0-2.el8.s390x.rpm
librabbitmq-debugsource-0.9.0-2.el8.s390x.rpm
librabbitmq-devel-0.9.0-2.el8.s390x.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.s390x.rpm

x86_64:
librabbitmq-debuginfo-0.9.0-2.el8.i686.rpm
librabbitmq-debuginfo-0.9.0-2.el8.x86_64.rpm
librabbitmq-debugsource-0.9.0-2.el8.i686.rpm
librabbitmq-debugsource-0.9.0-2.el8.x86_64.rpm
librabbitmq-devel-0.9.0-2.el8.i686.rpm
librabbitmq-devel-0.9.0-2.el8.x86_64.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.i686.rpm
librabbitmq-tools-debuginfo-0.9.0-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-18609
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6IxYdzjgjWX9erEAQiApQ/9F7Nif9dVrMaBZkY1G4HGRVpPvB6xMj54
MKjSAu7mpIxyQjQaXlpi/4ABLYAPe3aZJSZf7gq6uPOWrLpd9t+1gGAz159c36Nd
gsuwkqyfgcMlDr8dto1QJEgfVuNIqmd2AGigM9CT7pgwjIdC2HKXk9aa49YTMYMS
bPhd7MTu9U9AFVC2xjlAWtKqQqMvT51CCuBseXgEEXj8dKUmjI3uYFiK4C23AktS
g3a8AMwNx8ovtj/BGkg1I1vMsrz3TyqAdXwkudnKVMO6lgAPDkbK63jIR/WU+L4N
VjnsEUHgHjjvXKqjo4x8R+qAr4ZBD+yvtm1s1UlCysMHbWhv5YrEKWpHWa6Zn+zk
O3XRtZ6U7hCP7kifcZvPvQajdempNkd7iVthrqQbWivXixJ20+rQkkZkTTWwMmOu
uQrO+YpJ5qrw2p8vTmJtecuFoUHVpVKmUEHotg70Jk5FqiMHkQ8iDO621Qw68pmk
tU6agCsWeHoyE0cKOZoFShbkFilEAJv8QziFXXZkB14uhjiEPdeISfFRpUHk3yZM
KsLW1q4L4sFiaNFOLW+YHwHgN6wx8YDGBiXKltdxpDO7JZabrbdT9ww1kAhDN7uG
9SIO14o5UbbQq4mHL2Dkv6S2JI9AaQLip7hc3dWNLNE8QSjx+1KJr6sJ8M6EyX7x
mO9RTMllbuw=eb8i
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-4445:01 Moderate: librabbitmq security update

An update for librabbitmq is now available for Red Hat Enterprise Linux 8

Summary

The librabbitmq packages provide an Advanced Message Queuing Protocol (AMQP) client library that allows you to communicate with AMQP serversusing protocol version 0-9-1.
Security Fix(es):
* librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow (CVE-2019-18609)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-18609 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: librabbitmq-0.9.0-2.el8.src.rpm
aarch64: librabbitmq-0.9.0-2.el8.aarch64.rpm librabbitmq-debuginfo-0.9.0-2.el8.aarch64.rpm librabbitmq-debugsource-0.9.0-2.el8.aarch64.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.aarch64.rpm
ppc64le: librabbitmq-0.9.0-2.el8.ppc64le.rpm librabbitmq-debuginfo-0.9.0-2.el8.ppc64le.rpm librabbitmq-debugsource-0.9.0-2.el8.ppc64le.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.ppc64le.rpm
s390x: librabbitmq-0.9.0-2.el8.s390x.rpm librabbitmq-debuginfo-0.9.0-2.el8.s390x.rpm librabbitmq-debugsource-0.9.0-2.el8.s390x.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.s390x.rpm
x86_64: librabbitmq-0.9.0-2.el8.i686.rpm librabbitmq-0.9.0-2.el8.x86_64.rpm librabbitmq-debuginfo-0.9.0-2.el8.i686.rpm librabbitmq-debuginfo-0.9.0-2.el8.x86_64.rpm librabbitmq-debugsource-0.9.0-2.el8.i686.rpm librabbitmq-debugsource-0.9.0-2.el8.x86_64.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.i686.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64: librabbitmq-debuginfo-0.9.0-2.el8.aarch64.rpm librabbitmq-debugsource-0.9.0-2.el8.aarch64.rpm librabbitmq-devel-0.9.0-2.el8.aarch64.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.aarch64.rpm
ppc64le: librabbitmq-debuginfo-0.9.0-2.el8.ppc64le.rpm librabbitmq-debugsource-0.9.0-2.el8.ppc64le.rpm librabbitmq-devel-0.9.0-2.el8.ppc64le.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.ppc64le.rpm
s390x: librabbitmq-debuginfo-0.9.0-2.el8.s390x.rpm librabbitmq-debugsource-0.9.0-2.el8.s390x.rpm librabbitmq-devel-0.9.0-2.el8.s390x.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.s390x.rpm
x86_64: librabbitmq-debuginfo-0.9.0-2.el8.i686.rpm librabbitmq-debuginfo-0.9.0-2.el8.x86_64.rpm librabbitmq-debugsource-0.9.0-2.el8.i686.rpm librabbitmq-debugsource-0.9.0-2.el8.x86_64.rpm librabbitmq-devel-0.9.0-2.el8.i686.rpm librabbitmq-devel-0.9.0-2.el8.x86_64.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.i686.rpm librabbitmq-tools-debuginfo-0.9.0-2.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:4445-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4445
Issued Date: : 2020-11-03
CVE Names: CVE-2019-18609

Topic

An update for librabbitmq is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64


Bugs Fixed

1786646 - CVE-2019-18609 librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow


Related News