Red Hat 9062 Published by

Red Hat has released a security update for AMQ Clients 2.6.0.



=====================================================================
Red Hat Security Advisory

Synopsis: Important: AMQ Clients 2.6.0 Release
Advisory ID: RHSA-2020:0601-01
Product: Red Hat AMQ Clients
Advisory URL:   https://access.redhat.com/errata/RHSA-2020:0601
Issue date: 2020-02-25
CVE Names: CVE-2019-20444 CVE-2019-20445 CVE-2020-7238
=====================================================================

1. Summary:

An update is now available for Red Hat AMQ Clients 2.6.0. Red Hat Product
Security has rated this update as having a security impact of Important.

A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

6Client-AMQ-Clients-2 - i386, noarch, x86_64
6ComputeNode-AMQ-Clients-2 - noarch, x86_64
6Server-AMQ-Clients-2 - i386, noarch, x86_64
6Workstation-AMQ-Clients-2 - i386, noarch, x86_64
7Client-AMQ-Clients-2 - noarch, x86_64
7ComputeNode-AMQ-Clients-2 - noarch, x86_64
7Server-AMQ-Clients-2 - noarch, x86_64
7Workstation-AMQ-Clients-2 - noarch, x86_64
8Base-AMQ-Clients-2 - noarch, x86_64

3. Description:

Red Hat AMQ Clients enable connecting, sending, and receiving messages over
the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7.

This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 6,
7, and 8.

Security Fix(es):

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied
by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
mishandling (CVE-2020-7238)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

5. Bugs fixed (  https://bugzilla.redhat.com/):

1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1798524 - CVE-2019-20444 netty: HTTP request smuggling

6. JIRA issues fixed (  https://issues.jboss.org/):

ENTMQCL-1075 - [python] Example broker.py is using collections.deque.count from Python 2.7
ENTMQCL-1076 - [python] Example abstract_server.py is using relative import
ENTMQCL-1246 - [python] Install egg-info directory
ENTMQCL-1287 - [python] Read a config file to get default connection parameters (Windows)
ENTMQCL-1322 - amqpnetlite-sdk-2.1.6 does not export resource strings
ENTMQCL-1361 - [python] Convert strings in the API to AMQP symbols where required
ENTMQCL-1364 - [python] P2P detach frame not received results in connection aborted
ENTMQCL-1578 - [python] qpid-proton-0.28.0-1.el7 leaks memory
ENTMQCL-1583 - [doc] Broken links in rh-messaging/amq-docs master
ENTMQCL-1635 - [javascript] File-based connection configuration can't use named ports
ENTMQCL-1641 - [dotnet] Update AMQ .NET Client based on amqpnetlite 2.2
ENTMQCL-1679 - [python] HOME location of file-based connection configuration does not point to HOME location
ENTMQCL-1717 - [python] Default port should be amqps
ENTMQCL-1726 - [jms] Improve performance when using simulated anonymous producers
ENTMQCL-1781 - Established connections are aborted after the system clock is shifted forward
ENTMQCL-1818 - [javascript] npm install fails due to missing configuration file for ESLint
ENTMQCL-1835 - [jms] client-ack consumers don't increment remote delivery count on closure after fresh recover

7. Package List:

6Client-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6ComputeNode-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6Server-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

6Workstation-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-4.el6_10.src.rpm

i386:
python-qpid-proton-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-0.30.0-4.el6_10.i686.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-0.30.0-4.el6_10.i686.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.i686.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.i686.rpm

noarch:
python-qpid-proton-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-c-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-cpp-docs-0.30.0-4.el6_10.noarch.rpm
qpid-proton-tests-0.30.0-4.el6_10.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-c-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-4.el6_10.x86_64.rpm
qpid-proton-debuginfo-0.30.0-4.el6_10.x86_64.rpm

7Client-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7ComputeNode-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7Server-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

7Workstation-AMQ-Clients-2:

Source:
qpid-proton-0.30.0-2.el7.src.rpm
rubygem-qpid_proton-0.30.0-1.el7.src.rpm

noarch:
python-qpid-proton-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-c-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-cpp-docs-0.30.0-2.el7.noarch.rpm
qpid-proton-tests-0.30.0-2.el7.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el7.noarch.rpm

x86_64:
python-qpid-proton-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-0.30.0-2.el7.x86_64.rpm
qpid-proton-c-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-0.30.0-2.el7.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-2.el7.x86_64.rpm
qpid-proton-debuginfo-0.30.0-2.el7.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el7.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el7.x86_64.rpm

8Base-AMQ-Clients-2:

Source:
nodejs-rhea-1.0.16-1.el8.src.rpm
qpid-proton-0.30.0-3.el8.src.rpm
rubygem-qpid_proton-0.30.0-1.el8.src.rpm

noarch:
nodejs-rhea-1.0.16-1.el8.noarch.rpm
python-qpid-proton-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-c-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-cpp-docs-0.30.0-3.el8.noarch.rpm
qpid-proton-tests-0.30.0-3.el8.noarch.rpm
rubygem-qpid_proton-doc-0.30.0-1.el8.noarch.rpm

x86_64:
python3-qpid-proton-0.30.0-3.el8.x86_64.rpm
python3-qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-c-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-cpp-devel-0.30.0-3.el8.x86_64.rpm
qpid-proton-debuginfo-0.30.0-3.el8.x86_64.rpm
qpid-proton-debugsource-0.30.0-3.el8.x86_64.rpm
rubygem-qpid_proton-0.30.0-1.el8.x86_64.rpm
rubygem-qpid_proton-debuginfo-0.30.0-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

8. References:

  https://access.redhat.com/security/cve/CVE-2019-20444
  https://access.redhat.com/security/cve/CVE-2019-20445
  https://access.redhat.com/security/cve/CVE-2020-7238
  https://access.redhat.com/security/updates/classification/#important
  https://access.redhat.com/documentation/en-us/red_hat_amq/

9. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.