Описание
Security update for qpid-proton
This update for qpid-proton fixes the following issues:
- CVE-2019-0223: Fixed TLS Man in the Middle Vulnerability (bsc#1133158).
The following non-security bugs were fixed:
- Fix build with OpenSSL 3.0.0 (bsc#1172267)
- Sort linked .o files to make package build reproducible (bsc#1041090)
- Fix build with gcc8 (bsc#1084627)
- Move libqpid-proton-core to a different package to fix a rpmlint error (bsc#1191783)
Список пакетов
openSUSE Leap 15.5
python3-python-qpid-proton-0.38.0-150000.6.3.1
qpid-proton-devel-0.38.0-150000.6.3.1
qpid-proton-devel-doc-0.38.0-150000.6.3.1
Ссылки
- Link for SUSE-SU-2024:1074-1
- E-Mail link for SUSE-SU-2024:1074-1
- SUSE Security Ratings
- SUSE Bug 1041090
- SUSE Bug 1084627
- SUSE Bug 1133158
- SUSE Bug 1172267
- SUSE Bug 1191783
- SUSE CVE CVE-2019-0223 page
Описание
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
Затронутые продукты
openSUSE Leap 15.5:python3-python-qpid-proton-0.38.0-150000.6.3.1
openSUSE Leap 15.5:qpid-proton-devel-0.38.0-150000.6.3.1
openSUSE Leap 15.5:qpid-proton-devel-doc-0.38.0-150000.6.3.1
Ссылки
- CVE-2019-0223
- SUSE Bug 1133158