RedHat: RHSA-2021-1511:01 Moderate: AMQ Clients 2.9.1 release and s...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: AMQ Clients 2.9.1 release and security update
Advisory ID:       RHSA-2021:1511-01
Product:           Red Hat AMQ Clients
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1511
Issue date:        2021-05-06
CVE Names:         CVE-2021-21290 CVE-2021-21295 CVE-2021-21409 
=====================================================================

1. Summary:

An update is now available for Red Hat AMQ Clients 2.9.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

7Client-AMQ-Clients-2 - noarch, x86_64
7ComputeNode-AMQ-Clients-2 - noarch, x86_64
7Server-AMQ-Clients-2 - noarch, x86_64
7Workstation-AMQ-Clients-2 - noarch, x86_64
8Base-AMQ-Clients-2 - noarch, x86_64

3. Description:

Red Hat AMQ Clients enable connecting, sending, and receiving messages over
the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7.

This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 7
and 8.

Security Fix(es):

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

* netty: Request smuggling via content-length header (CVE-2021-21409)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header

6. JIRA issues fixed (https://issues.jboss.org/):

ENTMQCL-2586 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory [amq-cl-2]
ENTMQCL-2596 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [amq-cl-2]
ENTMQCL-2685 - CVE-2021-21409 netty: Request smuggling via content-length header [amq-cl-2]

7. Package List:

7Client-AMQ-Clients-2:

Source:
qpid-proton-0.33.0-6.el7_9.src.rpm

noarch:
python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm

x86_64:
python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm
rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm

7ComputeNode-AMQ-Clients-2:

Source:
qpid-proton-0.33.0-6.el7_9.src.rpm

noarch:
python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm

x86_64:
python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm
rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm

7Server-AMQ-Clients-2:

Source:
qpid-proton-0.33.0-6.el7_9.src.rpm

noarch:
python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm

x86_64:
python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm
rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm

7Workstation-AMQ-Clients-2:

Source:
qpid-proton-0.33.0-6.el7_9.src.rpm

noarch:
python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm
qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm

x86_64:
python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm
qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm
rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm

8Base-AMQ-Clients-2:

Source:
qpid-proton-0.33.0-8.el8.src.rpm

noarch:
python-qpid-proton-docs-0.33.0-8.el8.noarch.rpm
qpid-proton-c-docs-0.33.0-8.el8.noarch.rpm
qpid-proton-cpp-docs-0.33.0-8.el8.noarch.rpm
qpid-proton-tests-0.33.0-8.el8.noarch.rpm

x86_64:
python3-qpid-proton-0.33.0-8.el8.x86_64.rpm
python3-qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm
qpid-proton-c-0.33.0-8.el8.x86_64.rpm
qpid-proton-c-debuginfo-0.33.0-8.el8.x86_64.rpm
qpid-proton-c-devel-0.33.0-8.el8.x86_64.rpm
qpid-proton-cpp-0.33.0-8.el8.x86_64.rpm
qpid-proton-cpp-debuginfo-0.33.0-8.el8.x86_64.rpm
qpid-proton-cpp-devel-0.33.0-8.el8.x86_64.rpm
qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm
qpid-proton-debugsource-0.33.0-8.el8.x86_64.rpm
rubygem-qpid_proton-0.33.0-8.el8.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.33.0-8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2021-21290
https://access.redhat.com/security/cve/CVE-2021-21295
https://access.redhat.com/security/cve/CVE-2021-21409
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_amq/

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYJOfftzjgjWX9erEAQj+2g/+JFftwDGLiEj+Svg0TbMD8ZsrA/xaXtw7
uYVdRIGBGQQPG8VGYVmbOVBFWBsZlF6+6v05975AJqCZcoPn6oJZBQabsEOTIyj6
Q2AzW8cfx7M8TjV27O+woPB1wMMo+PhsJHgSOTnXiZWT10geQKLGWZ81dLn37rT/
s85Vr5ANqtQxaw3Uv8B5rgAybdEJEQ8m7E9zRJtlAeo+qTFugJT0c11Jxt6t+2vl
gWl1+mbO0pwuovGCFS2smB1G9TMF4/dOIX15qlgV98EK30fLVkGth/sCfjtMJDwz
8xoy+LaxIHBxH1sqfUVF8I1u/ngPhinlby31GI9jM3Qkuqjklo7I9+vYzxik0lBt
5fcsMxB3HjTWyuMx+7KssdPcvKFBIXbHtf9wuVIfiRR/Vuk35f5fwPvjNrhaOmNW
TjM8cfu/ioWREh1qHUr3Bq9Nv0k/yh4m2xA9/P7bDIXvZrRWbVTsP301r8x1VbQw
w6IohuS3wi1TM7vU5MZQv/BxAql1n1f66k1++nofq5D8/DLAAkHNHHNpr4O4rKTj
PT7KxahxRACP1EiwGyHdcvHLWJQgJ/vwqFWCCFlmOoi8dGDBdXqNfESNpCn8+kII
3OQF2n5g8lxgMKDpUuaAU/aYybm9CcUW8Ncw+vYBlJn/gK2FPSKm606Pd5KqQXmC
egK9mWwN/dY=
=JIov
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-1511:01 Moderate: AMQ Clients 2.9.1 release and security

An update is now available for Red Hat AMQ Clients 2.9.1

Summary

Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7.
This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 7 and 8.
Security Fix(es):
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_amq/

Package List

7Client-AMQ-Clients-2:
Source: qpid-proton-0.33.0-6.el7_9.src.rpm
noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm
x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm
7ComputeNode-AMQ-Clients-2:
Source: qpid-proton-0.33.0-6.el7_9.src.rpm
noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm
x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm
7Server-AMQ-Clients-2:
Source: qpid-proton-0.33.0-6.el7_9.src.rpm
noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm
x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm
7Workstation-AMQ-Clients-2:
Source: qpid-proton-0.33.0-6.el7_9.src.rpm
noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm
x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm
8Base-AMQ-Clients-2:
Source: qpid-proton-0.33.0-8.el8.src.rpm
noarch: python-qpid-proton-docs-0.33.0-8.el8.noarch.rpm qpid-proton-c-docs-0.33.0-8.el8.noarch.rpm qpid-proton-cpp-docs-0.33.0-8.el8.noarch.rpm qpid-proton-tests-0.33.0-8.el8.noarch.rpm
x86_64: python3-qpid-proton-0.33.0-8.el8.x86_64.rpm python3-qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-c-0.33.0-8.el8.x86_64.rpm qpid-proton-c-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-c-devel-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-devel-0.33.0-8.el8.x86_64.rpm qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-debugsource-0.33.0-8.el8.x86_64.rpm rubygem-qpid_proton-0.33.0-8.el8.x86_64.rpm rubygem-qpid_proton-debuginfo-0.33.0-8.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2021:1511-01
Product: Red Hat AMQ Clients
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1511
Issued Date: : 2021-05-06
CVE Names: CVE-2021-21290 CVE-2021-21295 CVE-2021-21409

Topic

An update is now available for Red Hat AMQ Clients 2.9.1.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

7Client-AMQ-Clients-2 - noarch, x86_64

7ComputeNode-AMQ-Clients-2 - noarch, x86_64

7Server-AMQ-Clients-2 - noarch, x86_64

7Workstation-AMQ-Clients-2 - noarch, x86_64

8Base-AMQ-Clients-2 - noarch, x86_64

Bugs Fixed

1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory

1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation

1944888 - CVE-2021-21409 netty: Request smuggling via content-length header

6. JIRA issues fixed (https://issues.jboss.org/):

ENTMQCL-2586 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory [amq-cl-2]

ENTMQCL-2596 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [amq-cl-2]

ENTMQCL-2685 - CVE-2021-21409 netty: Request smuggling via content-length header [amq-cl-2]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.