Alerts This Week
Warning Icon 1 1,375
Alerts This Week
Warning Icon 1 1,375

Scientific Linux 6: 2012-09-19 Moderate: qpid Connection Limit Issue

Scientific Large Esm H446
Moderate: qpid security, bug fix, and enhancement update
Date: Thu, 20 Sep 2012 08:34:54 -0500
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: Security ERRATA Moderate: qpid on SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Moderate: qpid security, bug fix, and enhancement update
Issue Date: 2012-09-19
CVE Numbers: CVE-2012-2145

Apache Qpid is a reliable, cross-platform, asynchronous messaging system
that supports the Advanced Message Queuing Protocol (AMQP) in several
common programming languages.

It was discovered that the Qpid daemon (qpidd) did not allow the number of
connections from clients to be restricted. A malicious client could use
this flaw to open an excessive amount of connections, preventing other
legitimate clients from establishing a connection to qpidd. (CVE-2012-2145)

To address CVE-2012-2145, new qpidd configuration options were introduced:
max-negotiate-time defines the time during which initial protocol
negotiation must succeed, connection-limit-per-user and
connection-limit-per-ip can be used to limit the number of connections per
user and client host IP. Refer to the qpidd manual page for additional
details.

In addition, the qpid-cpp, qpid-qmf, qpid-tools, and python-qpid packages
have been upgraded to upstream version 0.14, which provides a number of bug
fixes and enhancements over the previous version.

All users of qpid are advised to upgrade to these updated packages, which
fix these issues and add these enhancements.

For dependency resolution saslwrapper, saslwrapper-devel,
python-saslwrapper,
and ruby-saslwrapper have been added to this update

SL6
 x86_64
 python-qpid-qmf-0.14-14.el6_3.x86_64.rpm
 qpid-cpp-client-0.14-22.el6_3.i686.rpm
 qpid-cpp-client-0.14-22.el6_3.x86_64.rpm
 qpid-cpp-client-ssl-0.14-22.el6_3.i686.rpm
 qpid-cpp-client-ssl-0.14-22.el6_3.x86_64.rpm
 qpid-cpp-server-0.14-22.el6_3.i686.rpm
 qpid-cpp-server-0.14-22.el6_3.x86_64.rpm
 qpid-cpp-server-ssl-0.14-22.el6_3.x86_64.rpm
 qpid-qmf-0.14-14.el6_3.i686.rpm
 qpid-qmf-0.14-14.el6_3.x86_64.rpm
 ruby-qpid-qmf-0.14-14.el6_3.x86_64.rpm

 Dependencies:
 python-saslwrapper-0.14-1.el6.x86_64.rpm
 ruby-saslwrapper-0.14-1.el6.x86_64.rpm
 saslwrapper-0.14-1.el6.i686.rpm
 saslwrapper-0.14-1.el6.x86_64.rpm
 saslwrapper-devel-0.14-1.el6.i686.rpm
 saslwrapper-devel-0.14-1.el6.x86_64.rpm
 i386
 python-qpid-qmf-0.14-14.el6_3.i686.rpm
 qpid-cpp-client-0.14-22.el6_3.i686.rpm
 qpid-cpp-client-ssl-0.14-22.el6_3.i686.rpm
 qpid-cpp-server-0.14-22.el6_3.i686.rpm
 qpid-cpp-server-ssl-0.14-22.el6_3.i686.rpm
 qpid-qmf-0.14-14.el6_3.i686.rpm
 ruby-qpid-qmf-0.14-14.el6_3.i686.rpm

 Dependencies:
 python-saslwrapper-0.14-1.el6.i686.rpm
 ruby-saslwrapper-0.14-1.el6.i686.rpm
 saslwrapper-0.14-1.el6.i686.rpm
 saslwrapper-devel-0.14-1.el6.i686.rpm
 noarch
 python-qpid-0.14-11.el6_3.noarch.rpm
 qpid-tools-0.14-6.el6_3.noarch.rpm

- Scientific Linux Development Team
Your message here