Bugzilla – Bug 973343
VUL-0: CVE-2016-2166: qpid-proton: reactor sends messages in clear if ssl is requested but not available
Last modified: 2020-04-30 14:18:59 UTC
rh#1320842 Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user. This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections. Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable. These classes can create an unencrypted connections if the "amqps://" URL prefix is used. The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix). References: http://seclists.org/bugtraq/2016/Mar/166 Upstream fix: https://issues.apache.org/jira/browse/PROTON-1157 References: https://bugzilla.redhat.com/show_bug.cgi?id=1320842 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2166 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2166.html
This is an autogenerated message for OBS integration: This bug (973343) was mentioned in https://build.opensuse.org/request/show/382437 Factory / qpid-proton
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (973343) was mentioned in https://build.opensuse.org/request/show/384393 Factory / qpid-proton
This is an autogenerated message for OBS integration: This bug (973343) was mentioned in https://build.opensuse.org/request/show/385920 Factory / qpid-proton
This is an autogenerated message for OBS integration: This bug (973343) was mentioned in https://build.opensuse.org/request/show/388212 Factory / qpid-proton
Released
Done