Apache Qpid Proton is vulnerable to man-in-the-middle (MitM) attacks. A remote attacker is able to intercept TLS traffic as the application provides anonymous ciphers to authenticate a client regardless of the client’s configuration to verify the server’s certificate or hostname. The vulnerability is possible when it is used with OpenSSL prior to 1.1.0.
www.openwall.com/lists/oss-security/2019/04/23/4
www.securityfocus.com/bid/108044
access.redhat.com/errata/RHSA-2019:0886
access.redhat.com/errata/RHSA-2019:1398
access.redhat.com/errata/RHSA-2019:1399
access.redhat.com/errata/RHSA-2019:1400
access.redhat.com/errata/RHSA-2019:2777
access.redhat.com/errata/RHSA-2019:2778
access.redhat.com/errata/RHSA-2019:2779
access.redhat.com/errata/RHSA-2019:2780
access.redhat.com/errata/RHSA-2019:2781
access.redhat.com/errata/RHSA-2019:2782
github.com/apache/qpid-proton/commit/4aea0fd8502f5e9af7f22fd60645eeec07bce0b2
issues.apache.org/jira/browse/PROTON-2014
issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E
qpid.apache.org/cves/CVE-2019-0223.html