Bug 973343 - (CVE-2016-2166) VUL-0: CVE-2016-2166: qpid-proton: reactor sends messages in clear if ssl is requested but not available
(CVE-2016-2166)
VUL-0: CVE-2016-2166: qpid-proton: reactor sends messages in clear if ssl is...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/164197/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-31 08:18 UTC by Johannes Segitz
Modified: 2020-04-30 14:18 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-03-31 08:18:00 UTC
rh#1320842

Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user.

This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections.  Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable.  These classes can create an unencrypted connections if the "amqps://" URL prefix is used.

The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix).

References:
http://seclists.org/bugtraq/2016/Mar/166

Upstream fix:
https://issues.apache.org/jira/browse/PROTON-1157

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1320842
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2166
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2166.html
Comment 3 Bernhard Wiedemann 2016-03-31 11:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (973343) was mentioned in
https://build.opensuse.org/request/show/382437 Factory / qpid-proton
Comment 4 Swamp Workflow Management 2016-03-31 22:00:41 UTC
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2016-04-05 09:00:38 UTC
This is an autogenerated message for OBS integration:
This bug (973343) was mentioned in
https://build.opensuse.org/request/show/384393 Factory / qpid-proton
Comment 6 Bernhard Wiedemann 2016-04-07 16:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (973343) was mentioned in
https://build.opensuse.org/request/show/385920 Factory / qpid-proton
Comment 7 Bernhard Wiedemann 2016-04-12 15:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (973343) was mentioned in
https://build.opensuse.org/request/show/388212 Factory / qpid-proton
Comment 8 Fridrich Strba 2019-10-07 11:04:27 UTC
Released
Comment 9 Alexandros Toptsoglou 2020-04-30 14:18:59 UTC
Done