5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
6.2 Medium
AI Score
Confidence
Low
0.01 Low
EPSS
Percentile
83.5%
CentOS Errata and Security Advisory CESA-2012:1269
Apache Qpid is a reliable, cross-platform, asynchronous messaging system
that supports the Advanced Message Queuing Protocol (AMQP) in several
common programming languages.
It was discovered that the Qpid daemon (qpidd) did not allow the number of
connections from clients to be restricted. A malicious client could use
this flaw to open an excessive amount of connections, preventing other
legitimate clients from establishing a connection to qpidd. (CVE-2012-2145)
To address CVE-2012-2145, new qpidd configuration options were introduced:
max-negotiate-time defines the time during which initial protocol
negotiation must succeed, connection-limit-per-user and
connection-limit-per-ip can be used to limit the number of connections per
user and client host IP. Refer to the qpidd manual page for additional
details.
In addition, the qpid-cpp, qpid-qmf, qpid-tools, and python-qpid packages
have been upgraded to upstream version 0.14, which provides support for Red
Hat Enterprise MRG 2.2, as well as a number of bug fixes and enhancements
over the previous version. (BZ#840053, BZ#840055, BZ#840056, BZ#840058)
All users of qpid are advised to upgrade to these updated packages, which
fix these issues and add these enhancements.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2012-September/081057.html
Affected packages:
python-qpid
python-qpid-qmf
qpid-cpp-client
qpid-cpp-client-devel
qpid-cpp-client-devel-docs
qpid-cpp-client-rdma
qpid-cpp-client-ssl
qpid-cpp-server
qpid-cpp-server-cluster
qpid-cpp-server-devel
qpid-cpp-server-rdma
qpid-cpp-server-ssl
qpid-cpp-server-store
qpid-cpp-server-xml
qpid-qmf
qpid-qmf-devel
qpid-tools
rh-qpid-cpp-tests
ruby-qpid-qmf
Upstream details at:
https://access.redhat.com/errata/RHSA-2012:1269
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | noarch | python-qpid | < 0.14-11.el6_3 | python-qpid-0.14-11.el6_3.noarch.rpm |
CentOS | 6 | i686 | python-qpid-qmf | < 0.14-14.el6_3 | python-qpid-qmf-0.14-14.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-client | < 0.14-22.el6_3 | qpid-cpp-client-0.14-22.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-client-devel | < 0.14-22.el6_3 | qpid-cpp-client-devel-0.14-22.el6_3.i686.rpm |
CentOS | 6 | noarch | qpid-cpp-client-devel-docs | < 0.14-22.el6_3 | qpid-cpp-client-devel-docs-0.14-22.el6_3.noarch.rpm |
CentOS | 6 | i686 | qpid-cpp-client-rdma | < 0.14-22.el6_3 | qpid-cpp-client-rdma-0.14-22.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-client-ssl | < 0.14-22.el6_3 | qpid-cpp-client-ssl-0.14-22.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-server | < 0.14-22.el6_3 | qpid-cpp-server-0.14-22.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-server-cluster | < 0.14-22.el6_3 | qpid-cpp-server-cluster-0.14-22.el6_3.i686.rpm |
CentOS | 6 | i686 | qpid-cpp-server-devel | < 0.14-22.el6_3 | qpid-cpp-server-devel-0.14-22.el6_3.i686.rpm |