{"id": "SECURITYVULNS:DOC:31689", "bulletinFamily": "software", "title": "CVE-2015-0224: qpidd can be crashed by unauthenticated user", "description": "\r\n Apache Software Foundation - Security Advisory\r\n\r\n qpidd can be crashed by unauthenticated user\r\n\r\nCVE-2015-0224 CVS: 7.8\r\n\r\nSeverity: Moderate\r\n\r\nVendor:\r\n\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\n\r\nApache Qpid's qpidd up to and including version 0.30\r\n\r\nDescription:\r\n\r\nIn CVE-2015-0203 it was announced that certain unexpected protocol\r\nsequences cause the broker process to crash due to insufficient\r\nchecking, but that authentication could be used to restrict the\r\nexploitation of this vulnerability.\r\n\r\nIt has now been discovered that in fact failing authentication does\r\nnot necessarily prevent exploitation of those reported\r\nvulnerabilities.\r\n\r\nFurther, it was stated that one of the specific vulnerabilities was\r\nthat the qpidd broker can be crashed by sending it a sequence-set\r\ncontaining an invalid range, where the start of the range is after the\r\nend. This was an incorrect analysis of the vulnerability, which is in\r\nfact caused by a sequence-set containing a single range expressing the\r\nmaximum possible gap.\r\n\r\nSolution:\r\n\r\nA further patch is available that handles a range expressing the\r\nmaximum possible gap without assertion\r\n(https://issues.apache.org/jira/browse/QPID-6310). The fix will be\r\nincluded in subsequent releases, but can be applied to 0.30 if\r\ndesired.\r\n\r\nCredit:\r\n\r\nThis issue was discovered by G. Geshev from MWR Labs\r\n\r\nCommon Vulnerability Score information:\r\n\r\nCVSS Base Score 7.8\r\nImpact Subscore 6.9\r\nExploitability Subscore 10\r\nOverall CVSS Score 7.8\r\n", "published": "2015-02-02T00:00:00", "modified": "2015-02-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31689", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2015-0203", "CVE-2015-0224"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:57", "edition": 1, "viewCount": 8, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-08-31T11:10:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-0203", "CVE-2015-0224"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14210", "SECURITYVULNS:DOC:31613", "SECURITYVULNS:VULN:14252"]}, {"type": "nessus", "idList": ["FEDORA_2015-9503.NASL", "REDHAT-RHSA-2015-0661.NASL", "REDHAT-RHSA-2015-0708.NASL", "FEDORA_2016-120B194A75.NASL", "REDHAT-RHSA-2015-0660.NASL", "REDHAT-RHSA-2015-0707.NASL", "REDHAT-RHSA-2015-0662.NASL", "FEDORA_2017-F76BF63612.NASL"]}, {"type": "redhat", "idList": ["RHSA-2015:0707", "RHSA-2015:0661", "RHSA-2015:0660", "RHSA-2015:0708", "RHSA-2015:0662"]}, {"type": "fedora", "idList": ["FEDORA:AD12E6075B5C", "FEDORA:782FF60DD3E2", "FEDORA:0EB5E61740D6", "FEDORA:CC360607549D", "FEDORA:737D66076F41"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310869455", "OPENVAS:1361412562310874011", "OPENVAS:1361412562310873844", "OPENVAS:1361412562310807490", "OPENVAS:1361412562310874010"]}], "modified": "2018-08-31T11:10:57", "rev": 2}, "vulnersScore": 6.2}, "affectedSoftware": []}

{"cve": [{"lastseen": "2021-02-02T06:21:19", "description": "The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3) a session-gap control before a corresponding session-attach.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-21T15:29:00", "title": "CVE-2015-0203", "type": "cve", "cwe": ["CWE-19"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0203"], "modified": "2018-03-18T14:05:00", "cpe": ["cpe:/a:apache:qpid:0.30"], "id": "CVE-2015-0203", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0203", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:qpid:0.30:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:20", "description": "qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-10-30T14:29:00", "title": "CVE-2015-0224", "type": "cve", "cwe": ["CWE-19"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0224"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/a:apache:qpid:0.30"], "id": "CVE-2015-0224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0224", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:qpid:0.30:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "cvelist": ["CVE-2015-0203"], "description": "\r\n Apache Software Foundation - Security Advisory\r\n\r\n Apache Qpid&#39;s qpidd can be crashed by authenticated user\r\n\r\nCVE-2015-0203 CVS: 5.2\r\n\r\nSeverity: Moderate\r\n\r\nVendor:\r\n\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\n\r\nApache Qpid&#39;s qpidd up to and including version 0.30\r\n\r\nDescription:\r\n\r\nCertain unexpected protocol sequences cause the broker process to\r\ncrash due to insufficient checking. Three distinct cases were\r\nidentified as follows:\r\n\r\nThe AMQP 0-10 protocol defines a sequence set containing id\r\nranges. The qpidd broker can be crashed by sending it a sequence-set\r\ncontaining an invalid range, where the start of the range is after the\r\nend. This condition causes an assertion, which causes the broker\r\nprocess to exit.\r\n\r\nThe AMQP 0-10 protocol defines header- and body- segments that may\r\nfollow certain commands. The only command for which such segments are\r\nexpected by qpidd is the message-transfer command. If another command\r\nis sent that includes header and/or body segments, this will cause a\r\nsegmentation fault in the broker process, causing it then to exit.\r\n\r\nThe AMQP 0-10 protocol defines a session-gap control that can be sent\r\non any established session. The qpidd broker does not support this\r\ncontrol and responds with an appropriate error if requested on an\r\nestablished session. However, if the control is sent before the\r\nsession is opened, the brokers handling causes an assertion which\r\nresults in the broker process exiting.\r\n\r\nSolution:\r\n\r\nA patch is available &#40;https://issues.apache.org/jira/browse/QPID-6310&#41;\r\nthat handles all these errors by sending an exception control to the\r\nremote peer and leave the broker available to all other users. The fix\r\nwill be included in subsequent releases, but can be applied to 0.30 if\r\ndesired.\r\n\r\nCommon Vulnerability Score information:\r\n\r\nAuthentication can be used to restrict access to the broker. However\r\nany authenticated user would be able to trigger this condition which\r\ncould therefore be considered a form of denial of service.\r\n\r\nCredit:\r\n\r\nThis issue was discovered by G. Geshev from MWR Labs\r\n\r\nCommon Vulnerability Score information:\r\n\r\n\r\nCVSS Base Score 6.3\r\nImpact Subscore 6.9\r\nExploitability Subscore 6.8\r\nCVSS Temporal Score 5.2\r\nCVSS Environmental Score Not Defined\r\nModified Impact Subscore Not Defined\r\nOverall CVSS Score 5.2\r\n", "edition": 1, "modified": "2015-01-14T00:00:00", "published": "2015-01-14T00:00:00", "id": "SECURITYVULNS:DOC:31613", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31613", "title": "CVE-2015-0203: Apache Qpid&#39;s qpidd can be crashed by authenticated user", "type": "securityvulns", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-0203"], "description": "Multiple assert&#40;&#41;s.", "edition": 1, "modified": "2015-01-14T00:00:00", "published": "2015-01-14T00:00:00", "id": "SECURITYVULNS:VULN:14210", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14210", "title": "Apache qpid DoS", "type": "securityvulns", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-0224", "CVE-2015-0223"], "description": "DoS, non-switchable anonymous access.", "edition": 1, "modified": "2015-02-02T00:00:00", "published": "2015-02-02T00:00:00", "id": "SECURITYVULNS:VULN:14252", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14252", "title": "Apache Qpid security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:10", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": "Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation\nIT infrastructure for enterprise computing. MRG offers increased\nperformance, reliability, interoperability, and faster computing for\nenterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives, stores and\nroutes messages using the open AMQP messaging protocol along with run-time\nlibraries for AMQP client applications developed using Qpid C++. Clients\nexchange messages with an AMQP message broker using the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access to\nanonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as\nthe original reporter.\n\nThis update also fixes the following bug:\n\n* Prior to this update, because message purging was performed on a timer\nthread, large purge events could have caused all other timer tasks to be\ndelayed. Because heartbeats were also driven by a timer on this thread,\nthis could have resulted in clients timing out because they were not\nreceiving heartbeats. The fix moves expired message purging from the timer\nthread to a worker thread, which allow long-running expired message purges\nto not affect timer tasks such as the heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat Enterprise\nLinux 7 are advised to upgrade to these updated packages, which correct\nthese issues.\n", "modified": "2015-04-24T14:19:24", "published": "2015-03-09T04:00:00", "id": "RHSA-2015:0660", "href": "https://access.redhat.com/errata/RHSA-2015:0660", "type": "redhat", "title": "(RHSA-2015:0660) Moderate: qpid-cpp security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:55", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": "Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation\nIT infrastructure for enterprise computing. MRG offers increased\nperformance, reliability, interoperability, and faster computing for\nenterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives, stores and\nroutes messages using the open AMQP messaging protocol along with run-time\nlibraries for AMQP client applications developed using Qpid C++. Clients\nexchange messages with an AMQP message broker using the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access to\nanonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as\nthe original reporter.\n\nThis update also fixes the following bug:\n\n* Prior to this update, because message purging was performed on a timer\nthread, large purge events could have caused all other timer tasks to be\ndelayed. Because heartbeats were also driven by a timer on this thread,\nthis could have resulted in clients timing out because they were not\nreceiving heartbeats. The fix moves expired message purging from the timer\nthread to a worker thread, which allow long-running expired message purges\nto not affect timer tasks such as the heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat Enterprise\nLinux 5 are advised to upgrade to these updated packages, which correct\nthese issues.\n", "modified": "2016-04-04T18:33:39", "published": "2015-03-09T04:00:00", "id": "RHSA-2015:0662", "href": "https://access.redhat.com/errata/RHSA-2015:0662", "type": "redhat", "title": "(RHSA-2015:0662) Moderate: qpid-cpp security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": "Red Hat Enterprise MRG is a next-generation IT infrastructure incorporating\nMessaging, Real Time, and Grid functionality. It offers increased\nperformance, reliability, interoperability, and faster computing for\nenterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for Linux\nbased on AMQP (Advanced Message Queuing Protocol), an open protocol\nstandard for enterprise messaging that is designed to make mission critical\nmessaging widely available as a standard service, and to make enterprise\nmessaging interoperable across platforms, programming languages, and\nvendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries for\nC++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access to\nanonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a specially\ncrafted protocol sequence set that could use this flaw to crash qpidd.\n(CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as\nthe original reporter.\n\nThis update also fixes the following bugs:\n\n* Previously, the neutron messaging client rewrote (by method of\n\"monkey-patching\") the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during this\nprocess, which is used by qpid-python to manage I/O. This resulted in\npoll() deadlocks and neutron server hangs. The fix introduces updates to\nthe python-qpid library that avoid calling poll() if eventlet threading is\ndetected. Instead, the eventlet-aware select() is called, which prevents\ndeadlocks from occurring and corrects the originally reported issue.\n(BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which is\nlayered on Red Hat Enterprise Linux 6, are advised to upgrade to these\nupdated packages, which correct these issues.", "modified": "2018-06-07T02:47:32", "published": "2015-03-19T20:56:28", "id": "RHSA-2015:0707", "href": "https://access.redhat.com/errata/RHSA-2015:0707", "type": "redhat", "title": "(RHSA-2015:0707) Moderate: qpid security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:25", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": "Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation\nIT infrastructure for enterprise computing. MRG offers increased\nperformance, reliability, interoperability, and faster computing for\nenterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives, stores and\nroutes messages using the open AMQP messaging protocol along with run-time\nlibraries for AMQP client applications developed using Qpid C++. Clients\nexchange messages with an AMQP message broker using the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access to\nanonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as\nthe original reporter.\n\nThis update also fixes the following bug:\n\n* Prior to this update, because message purging was performed on a timer\nthread, large purge events could have caused all other timer tasks to be\ndelayed. Because heartbeats were also driven by a timer on this thread,\nthis could have resulted in clients timing out because they were not\nreceiving heartbeats. The fix moves expired message purging from the timer\nthread to a worker thread, which allow long-running expired message purges\nto not affect timer tasks such as the heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat Enterprise\nLinux 6 are advised to upgrade to these updated packages, which correct\nthese issues.", "modified": "2018-06-07T02:47:19", "published": "2015-03-09T17:34:12", "id": "RHSA-2015:0661", "href": "https://access.redhat.com/errata/RHSA-2015:0661", "type": "redhat", "title": "(RHSA-2015:0661) Moderate: qpid-cpp security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:55", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": "Red Hat Enterprise MRG is a next-generation IT infrastructure incorporating\nMessaging, Real Time, and Grid functionality. It offers increased\nperformance, reliability, interoperability, and faster computing for\nenterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for Linux\nbased on AMQP (Advanced Message Queuing Protocol), an open protocol\nstandard for enterprise messaging that is designed to make mission critical\nmessaging widely available as a standard service, and to make enterprise\nmessaging interoperable across platforms, programming languages, and\nvendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries for\nC++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access to\nanonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a specially\ncrafted protocol sequence set that could use this flaw to crash qpidd.\n(CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for reporting\nthe CVE-2015-0203 issue. Upstream acknowledges G. Geshev from MWR Labs as\nthe original reporter.\n\nThis update also fixes the following bugs:\n\n* Previously, the neutron messaging client rewrote (by method of\n\"monkey-patching\") the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during this\nprocess, which is used by qpid-python to manage I/O. This resulted in\npoll() deadlocks and neutron server hangs. The fix introduces updates to\nthe python-qpid library that avoid calling poll() if eventlet threading is\ndetected. Instead, the eventlet-aware select() is called, which prevents\ndeadlocks from occurring and corrects the originally reported issue.\n(BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which is\nlayered on Red Hat Enterprise Linux 7, are advised to upgrade to these\nupdated packages, which correct these issues.", "modified": "2018-03-19T16:26:12", "published": "2015-03-19T20:56:30", "id": "RHSA-2015:0708", "href": "https://access.redhat.com/errata/RHSA-2015:0708", "type": "redhat", "title": "(RHSA-2015:0708) Moderate: qpid security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-03-10T00:00:00", "id": "OPENVAS:1361412562310807490", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807490", "type": "openvas", "title": "Fedora Update for qpid-cpp FEDORA-2016-120", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qpid-cpp FEDORA-2016-120\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807490\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-10 06:11:58 +0100 (Thu, 10 Mar 2016)\");\n script_cve_id(\"CVE-2015-0223\", \"CVE-2015-0224\", \"CVE-2015-0203\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qpid-cpp FEDORA-2016-120\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qpid-cpp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qpid-cpp on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-120\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178606.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"qpid-cpp\", rpm:\"qpid-cpp~0.34~6.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-01-14T00:00:00", "id": "OPENVAS:1361412562310874011", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874011", "type": "openvas", "title": "Fedora Update for qpid-cpp FEDORA-2017-14f5c6cdac", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_14f5c6cdac_qpid-cpp_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for qpid-cpp FEDORA-2017-14f5c6cdac\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874011\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-14 07:32:48 +0100 (Sun, 14 Jan 2018)\");\n script_cve_id(\"CVE-2015-0203\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qpid-cpp FEDORA-2017-14f5c6cdac\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qpid-cpp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qpid-cpp on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2017-14f5c6cdac\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFEMQMBVRYGFSV2SRLZBLXEEUV6TBT5J\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"qpid-cpp\", rpm:\"qpid-cpp~1.37.0~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-04T00:00:00", "id": "OPENVAS:1361412562310873844", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873844", "type": "openvas", "title": "Fedora Update for qpid-cpp FEDORA-2017-f76bf63612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_f76bf63612_qpid-cpp_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for qpid-cpp FEDORA-2017-f76bf63612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873844\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-04 18:48:33 +0530 (Mon, 04 Dec 2017)\");\n script_cve_id(\"CVE-2015-0203\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qpid-cpp FEDORA-2017-f76bf63612\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qpid-cpp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qpid-cpp on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-f76bf63612\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJGEUTHJSVZQEZEJCV5BIXCIL6WSJWJP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"qpid-cpp\", rpm:\"qpid-cpp~1.36.0~8.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-01-14T00:00:00", "id": "OPENVAS:1361412562310874010", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874010", "type": "openvas", "title": "Fedora Update for qpid-cpp FEDORA-2017-7bac3ba7c3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_7bac3ba7c3_qpid-cpp_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for qpid-cpp FEDORA-2017-7bac3ba7c3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874010\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-14 07:32:45 +0100 (Sun, 14 Jan 2018)\");\n script_cve_id(\"CVE-2015-0203\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qpid-cpp FEDORA-2017-7bac3ba7c3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qpid-cpp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qpid-cpp on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2017-7bac3ba7c3\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAHIGBKEMXHAAJPDPQ2AJHCGUJUJNHTF\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"qpid-cpp\", rpm:\"qpid-cpp~1.37.0~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:36:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0223"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-06-21T00:00:00", "id": "OPENVAS:1361412562310869455", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869455", "type": "openvas", "title": "Fedora Update for qpid-cpp FEDORA-2015-9503", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qpid-cpp FEDORA-2015-9503\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869455\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-21 05:54:51 +0200 (Sun, 21 Jun 2015)\");\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qpid-cpp FEDORA-2015-9503\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qpid-cpp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qpid-cpp on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-9503\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160354.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"qpid-cpp\", rpm:\"qpid-cpp~0.32~4.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223", "CVE-2015-0224"], "description": " Run-time libraries for AMQP client applications developed using Qpid C++. Clients exchange messages with an AMQP message broker using the AMQP protocol. ", "modified": "2016-03-09T20:18:57", "published": "2016-03-09T20:18:57", "id": "FEDORA:0EB5E61740D6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: qpid-cpp-0.34-6.fc23", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203"], "description": " Run-time libraries for AMQP client applications developed using Qpid C++. Clients exchange messages with an AMQP message broker using the AMQP protocol. ", "modified": "2018-01-13T23:06:02", "published": "2018-01-13T23:06:02", "id": "FEDORA:CC360607549D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: qpid-cpp-1.37.0-1.fc26", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203"], "description": " Run-time libraries for AMQP client applications developed using Qpid C++. Clients exchange messages with an AMQP message broker using the AMQP protocol. ", "modified": "2018-01-13T23:19:15", "published": "2018-01-13T23:19:15", "id": "FEDORA:737D66076F41", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: qpid-cpp-1.37.0-1.fc27", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203"], "description": " Run-time libraries for AMQP client applications developed using Qpid C++. Clients exchange messages with an AMQP message broker using the AMQP protocol. ", "modified": "2017-12-02T03:11:19", "published": "2017-12-02T03:11:19", "id": "FEDORA:AD12E6075B5C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: qpid-cpp-1.36.0-8.fc27", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0203", "CVE-2015-0223"], "description": " Run-time libraries for AMQP client applications developed using Qpid C++. Clients exchange messages with an AMQP message broker using the AMQP protocol. ", "modified": "2015-06-21T00:04:11", "published": "2015-06-21T00:04:11", "id": "FEDORA:782FF60DD3E2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: qpid-cpp-0.32-4.fc21", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-03-01T05:36:29", "description": "Updated qpid packages that fix multiple security issues and one bug\nare now available for Red Hat Enterprise MRG 3 for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG is a next-generation IT infrastructure\nincorporating Messaging, Real Time, and Grid functionality. It offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for\nLinux based on AMQP (Advanced Message Queuing Protocol), an open\nprotocol standard for enterprise messaging that is designed to make\nmission critical messaging widely available as a standard service, and\nto make enterprise messaging interoperable across platforms,\nprogramming languages, and vendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries\nfor C++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set that could use this flaw to\ncrash qpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bugs :\n\n* Previously, the neutron messaging client rewrote (by method of\n'monkey-patching') the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during\nthis process, which is used by qpid-python to manage I/O. This\nresulted in poll() deadlocks and neutron server hangs. The fix\nintroduces updates to the python-qpid library that avoid calling\npoll() if eventlet threading is detected. Instead, the eventlet-aware\nselect() is called, which prevents deadlocks from occurring and\ncorrects the originally reported issue. (BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which\nis layered on Red Hat Enterprise Linux 6, are advised to upgrade to\nthese updated packages, which correct these issues.", "edition": 23, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-09-13T00:00:00", "title": "RHEL 6 : MRG (RHSA-2015:0707)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:ruby-qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:python-qpid", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ha", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore", "p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server"], "id": "REDHAT-RHSA-2015-0707.NASL", "href": "https://www.tenable.com/plugins/nessus/117467", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0707. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117467);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_xref(name:\"RHSA\", value:\"2015:0707\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2015:0707)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qpid packages that fix multiple security issues and one bug\nare now available for Red Hat Enterprise MRG 3 for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG is a next-generation IT infrastructure\nincorporating Messaging, Real Time, and Grid functionality. It offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for\nLinux based on AMQP (Advanced Message Queuing Protocol), an open\nprotocol standard for enterprise messaging that is designed to make\nmission critical messaging widely available as a standard service, and\nto make enterprise messaging interoperable across platforms,\nprogramming languages, and vendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries\nfor C++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set that could use this flaw to\ncrash qpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bugs :\n\n* Previously, the neutron messaging client rewrote (by method of\n'monkey-patching') the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during\nthis process, which is used by qpid-python to manage I/O. This\nresulted in poll() deadlocks and neutron server hangs. The fix\nintroduces updates to the python-qpid library that avoid calling\npoll() if eventlet threading is detected. Instead, the eventlet-aware\nselect() is called, which prevents deadlocks from occurring and\ncorrects the originally reported issue. (BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which\nis layered on Red Hat Enterprise Linux 6, are advised to upgrade to\nthese updated packages, which correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0707\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0224\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0707\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"python-qpid-0.22-19.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-qpid-qmf-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-qpid-qmf-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-devel-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"qpid-cpp-client-devel-docs-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-rdma-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-rdma-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-debuginfo-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-debuginfo-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-devel-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-devel-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-ha-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-ha-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-linearstore-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-linearstore-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-rdma-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-rdma-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-xml-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-xml-0.22-51.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-qmf-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-qmf-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-qmf-debuginfo-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-qmf-debuginfo-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-qmf-devel-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-qmf-devel-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ruby-qpid-qmf-0.22-41.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby-qpid-qmf-0.22-41.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-qpid / python-qpid-qmf / qpid-cpp-client / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T05:36:27", "description": "Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 5 are advised to upgrade to these updated packages,\nwhich correct these issues.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-03-10T00:00:00", "title": "RHEL 5 : MRG (RHSA-2015:0662)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server"], "id": "REDHAT-RHSA-2015-0662.NASL", "href": "https://www.tenable.com/plugins/nessus/81728", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0662. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81728);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_bugtraq_id(72030, 72317, 72319);\n script_xref(name:\"RHSA\", value:\"2015:0662\");\n\n script_name(english:\"RHEL 5 : MRG (RHSA-2015:0662)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 5 are advised to upgrade to these updated packages,\nwhich correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0223\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0662\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-client-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-client-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-client-devel-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-client-devel-docs-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-docs-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-client-rdma-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-client-rdma-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-client-ssl-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-client-ssl-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-cluster-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-cluster-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-devel-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-devel-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-rdma-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-rdma-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-ssl-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-ssl-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-store-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-store-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"qpid-cpp-server-xml-0.18-38.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"qpid-cpp-server-xml-0.18-38.el5_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp-client / qpid-cpp-client-devel / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T05:36:27", "description": "Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 7 are advised to upgrade to these updated packages,\nwhich correct these issues.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-08-31T00:00:00", "title": "RHEL 7 : MRG (RHSA-2015:0660)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server"], "id": "REDHAT-RHSA-2015-0660.NASL", "href": "https://www.tenable.com/plugins/nessus/85704", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0660. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85704);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_xref(name:\"RHSA\", value:\"2015:0660\");\n\n script_name(english:\"RHEL 7 : MRG (RHSA-2015:0660)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 7 are advised to upgrade to these updated packages,\nwhich correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0223\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0660\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"qpid-cpp-client-devel-docs-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-rdma-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-ssl-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-debuginfo-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-cluster-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-devel-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-rdma-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-ssl-0.18-38.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-store-0.18-38.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp-client / qpid-cpp-client-devel / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T05:36:29", "description": "Updated qpid packages that fix multiple security issues and one bug\nare now available for Red Hat Enterprise MRG 3 for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG is a next-generation IT infrastructure\nincorporating Messaging, Real Time, and Grid functionality. It offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for\nLinux based on AMQP (Advanced Message Queuing Protocol), an open\nprotocol standard for enterprise messaging that is designed to make\nmission critical messaging widely available as a standard service, and\nto make enterprise messaging interoperable across platforms,\nprogramming languages, and vendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries\nfor C++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set that could use this flaw to\ncrash qpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bugs :\n\n* Previously, the neutron messaging client rewrote (by method of\n'monkey-patching') the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during\nthis process, which is used by qpid-python to manage I/O. This\nresulted in poll() deadlocks and neutron server hangs. The fix\nintroduces updates to the python-qpid library that avoid calling\npoll() if eventlet threading is detected. Instead, the eventlet-aware\nselect() is called, which prevents deadlocks from occurring and\ncorrects the originally reported issue. (BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which\nis layered on Red Hat Enterprise Linux 7, are advised to upgrade to\nthese updated packages, which correct these issues.", "edition": 30, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-04-01T00:00:00", "title": "RHEL 7 : MRG (RHSA-2015:0708)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:ruby-qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:python-qpid", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:libdb-cxx-devel", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel", "p-cpe:/a:redhat:enterprise_linux:libdb-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ha", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore", "p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:libdb-cxx", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server"], "id": "REDHAT-RHSA-2015-0708.NASL", "href": "https://www.tenable.com/plugins/nessus/82492", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0708. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82492);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_xref(name:\"RHSA\", value:\"2015:0708\");\n\n script_name(english:\"RHEL 7 : MRG (RHSA-2015:0708)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qpid packages that fix multiple security issues and one bug\nare now available for Red Hat Enterprise MRG 3 for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG is a next-generation IT infrastructure\nincorporating Messaging, Real Time, and Grid functionality. It offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nMRG Messaging is a high-speed reliable messaging distribution for\nLinux based on AMQP (Advanced Message Queuing Protocol), an open\nprotocol standard for enterprise messaging that is designed to make\nmission critical messaging widely available as a standard service, and\nto make enterprise messaging interoperable across platforms,\nprogramming languages, and vendors.\n\nMRG Messaging includes AMQP messaging broker; AMQP client libraries\nfor C++, Java JMS, and Python; as well as persistence libraries and\nmanagement tools.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nA flaw was found in the way the Qpid daemon (qpidd) processed certain\nprotocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set that could use this flaw to\ncrash qpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bugs :\n\n* Previously, the neutron messaging client rewrote (by method of\n'monkey-patching') the python selector module to support eventlet\nthreading. The rewritten client did not update select.poll() during\nthis process, which is used by qpid-python to manage I/O. This\nresulted in poll() deadlocks and neutron server hangs. The fix\nintroduces updates to the python-qpid library that avoid calling\npoll() if eventlet threading is detected. Instead, the eventlet-aware\nselect() is called, which prevents deadlocks from occurring and\ncorrects the originally reported issue. (BZ#1175872)\n\n* It was discovered that the QPID Broker aborted with an uncaught\nUnknownExchangeTypeException when the client attempted to request an\nunsupported exchange type. The code for the Exchange Registry and Node\nPolicy has been improved to prevent this issue from happening again.\n(BZ#1186694)\n\nUsers of the Messaging capabilities of Red Hat Enterprise MRG 3, which\nis layered on Red Hat Enterprise Linux 7, are advised to upgrade to\nthese updated packages, which correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0224\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libdb-cxx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libdb-cxx-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libdb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0708\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libdb-cxx-5.3.21-17.el7_0.1\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libdb-cxx-devel-5.3.21-17.el7_0.1\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"libdb-debuginfo-5.3.21-17.el7_0.1\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python-qpid-0.22-19.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-qpid-qmf-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"qpid-cpp-client-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"qpid-cpp-client-devel-docs-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-client-rdma-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"qpid-cpp-debuginfo-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-debuginfo-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"qpid-cpp-server-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-devel-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-ha-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-linearstore-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-cpp-server-rdma-0.22-51.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"qpid-qmf-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-qmf-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"qpid-qmf-debuginfo-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-qmf-debuginfo-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"qpid-qmf-devel-0.22-41.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ruby-qpid-qmf-0.22-41.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libdb-cxx / libdb-cxx-devel / libdb-debuginfo / python-qpid / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:00", "description": "Rebuilt against qpid-proton 0.12.0.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-03-10T00:00:00", "title": "Fedora 23 : qpid-cpp-0.34-6.fc23 (2016-120b194a75)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2016-03-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:qpid-cpp", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-120B194A75.NASL", "href": "https://www.tenable.com/plugins/nessus/89796", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-120b194a75.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89796);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_xref(name:\"FEDORA\", value:\"2016-120b194a75\");\n\n script_name(english:\"Fedora 23 : qpid-cpp-0.34-6.fc23 (2016-120b194a75)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebuilt against qpid-proton 0.12.0.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1186305\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1186311\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178606.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?891e3f77\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qpid-cpp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qpid-cpp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"qpid-cpp-0.34-6.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-06T13:44:36", "description": "Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 6 are advised to upgrade to these updated packages,\nwhich correct these issues.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-03-10T00:00:00", "title": "RHEL 6 : MRG (RHSA-2015:0661)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0224", "CVE-2015-0223"], "modified": "2015-03-10T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server"], "id": "REDHAT-RHSA-2015-0661.NASL", "href": "https://www.tenable.com/plugins/nessus/81727", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0661. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81727);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\", \"CVE-2015-0224\");\n script_bugtraq_id(72030, 72317, 72319);\n script_xref(name:\"RHSA\", value:\"2015:0661\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2015:0661)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated qpid-cpp packages that fix multiple security issues and one\nbug are now available for Red Hat Enterprise MRG Messaging 2.5 for Red\nHat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat Enterprise MRG (Messaging, Realtime, and Grid) is a\nnext-generation IT infrastructure for enterprise computing. MRG offers\nincreased performance, reliability, interoperability, and faster\ncomputing for enterprise customers.\n\nThe Qpid packages provide a message broker daemon that receives,\nstores and routes messages using the open AMQP messaging protocol\nalong with run-time libraries for AMQP client applications developed\nusing Qpid C++. Clients exchange messages with an AMQP message broker\nusing the AMQP protocol.\n\nIt was discovered that the Qpid daemon (qpidd) did not restrict access\nto anonymous users when the ANONYMOUS mechanism was disallowed.\n(CVE-2015-0223)\n\nMultiple flaws were found in the way the Qpid daemon (qpidd) processed\ncertain protocol sequences. An unauthenticated attacker able to send a\nspecially crafted protocol sequence set could use these flaws to crash\nqpidd. (CVE-2015-0203, CVE-2015-0224)\n\nRed Hat would like to thank the Apache Software Foundation for\nreporting the CVE-2015-0203 issue. Upstream acknowledges G. Geshev\nfrom MWR Labs as the original reporter.\n\nThis update also fixes the following bug :\n\n* Prior to this update, because message purging was performed on a\ntimer thread, large purge events could have caused all other timer\ntasks to be delayed. Because heartbeats were also driven by a timer on\nthis thread, this could have resulted in clients timing out because\nthey were not receiving heartbeats. The fix moves expired message\npurging from the timer thread to a worker thread, which allow\nlong-running expired message purges to not affect timer tasks such as\nthe heartbeat timer. (BZ#1142833)\n\nAll users of Red Hat Enterprise MRG Messaging 2.5 for Red Hat\nEnterprise Linux 6 are advised to upgrade to these updated packages,\nwhich correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0224\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-rdma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0661\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-devel-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-devel-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"qpid-cpp-client-devel-docs-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-rdma-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-rdma-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-client-ssl-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-client-ssl-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-debuginfo-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-debuginfo-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-cluster-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-cluster-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-devel-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-devel-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-rdma-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-rdma-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-ssl-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-ssl-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-store-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-store-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qpid-cpp-server-xml-0.18-38.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qpid-cpp-server-xml-0.18-38.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp-client / qpid-cpp-client-devel / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:15:06", "description": "Rebuilt against qpid-\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-01-15T00:00:00", "title": "Fedora 27 : qpid-cpp (2017-f76bf63612)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203"], "modified": "2018-01-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:qpid-cpp"], "id": "FEDORA_2017-F76BF63612.NASL", "href": "https://www.tenable.com/plugins/nessus/106009", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-f76bf63612.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106009);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0203\");\n script_xref(name:\"FEDORA\", value:\"2017-f76bf63612\");\n\n script_name(english:\"Fedora 27 : qpid-cpp (2017-f76bf63612)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebuilt against qpid-\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f76bf63612\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qpid-cpp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qpid-cpp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"qpid-cpp-1.36.0-8.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:13:51", "description": "Removed qpid-send and qpid-receive from qpid-cpp-client-devel. Include\nthe qpid.tests module in python-qpid Bumped the release to force a\nbuild against Proton 0.9 in F22. Added qpidtoollibs to the qpid-tools\npackage. Fixed path to qpid-ha in the systemd service descriptor.\nResolves: BZ#1186308 Apply patch 10. Resolves: BZ#1184488 Resolves:\nBZ#1181721\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-06-22T00:00:00", "title": "Fedora 21 : qpid-cpp-0.32-4.fc21 (2015-9503)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0203", "CVE-2015-0223"], "modified": "2015-06-22T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:qpid-cpp"], "id": "FEDORA_2015-9503.NASL", "href": "https://www.tenable.com/plugins/nessus/84306", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-9503.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84306);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0203\", \"CVE-2015-0223\");\n script_xref(name:\"FEDORA\", value:\"2015-9503\");\n\n script_name(english:\"Fedora 21 : qpid-cpp-0.32-4.fc21 (2015-9503)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Removed qpid-send and qpid-receive from qpid-cpp-client-devel. Include\nthe qpid.tests module in python-qpid Bumped the release to force a\nbuild against Proton 0.9 in F22. Added qpidtoollibs to the qpid-tools\npackage. Fixed path to qpid-ha in the systemd service descriptor.\nResolves: BZ#1186308 Apply patch 10. Resolves: BZ#1184488 Resolves:\nBZ#1181721\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1181721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1186308\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160354.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?04b68d26\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qpid-cpp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qpid-cpp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"qpid-cpp-0.32-4.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qpid-cpp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}