-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 Advisory ID: RHSA-2010:0774-01 Product: Red Hat Enterprise MRG for RHEL-4 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0774.html Issue date: 2010-10-14 CVE Names: CVE-2009-5005 CVE-2009-5006 =====================================================================
1. Summary:
Updated packages that fix two security issues, several bugs, and add multiple enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise MRG Messaging and Grid for Red Hat Enterprise Linux 4.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat MRG Grid Execute Node for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Grid Execute Node for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Grid for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Grid for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Messaging Base for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Messaging Base for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Messaging for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Messaging for RHEL-4 ES - i386, noarch, x86_64
3. Description:
Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a realtime IT infrastructure for enterprise computing. MRG Messaging uses Apache Qpid to implement the Advanced Message Queuing Protocol (AMQP) standard, adding persistence options, kernel optimizations, and operating system services.
This update moves Red Hat Enterprise MRG to version 1.3.
A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down. (CVE-2009-5005)
A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down. (CVE-2009-5006)
This update also adds the following enhancements:
* This update introduces a protocol-independent C++ API. The extra layer of indirection will make it easy to support new versions of the AMQP protocol, as well as multiple versions simultaneously. (BZ#497747)
* The management component is now capable of working in a cluster. (BZ#501015)
* The Messaging Client Python API is now protocol-independent. (BZ#497748)
* This update allows a JMS client to subscribe to the failover exchange to retrieve cluster membership information and subsequently to receive updates. (BZ#483753)
* With this update, the qpidd service can be run without additional authentication options. (BZ#515513)
* This update adds an OpenMPI wrapper script to Condor. It adds support for OpenMPI jobs. (BZ#537232)
* The Messaging Client Python API now provides a failover mechanism for clustered brokers. (BZ#495718)
* The Python Messaging API now includes support for Simple Authentication and Security Layer (SASL), which allows authentication support to be added to connection-based protocols. (BZ#548493)
* The qpid-tool is now able to determine which session a queue consumer belongs to. (BZ#504325)
* This update handles backward/forward compatibility for QMF and its components. (BZ#506698)
* Both Secure Sockets Layer (SSL) and Remote Direct Memory Access (RDMA) entries can now appear in the list of known URLs. (BZ#471632)
* This update allows for the scheduler daemon to run without swap. (BZ#548090)
* This update introduces a mechanism that specifies the queue size of a queue that is setup via the Java API. (BZ#534008)
* Previously, a collector could not be remotely restarted. With this update, the restart is possible and works as expected. (BZ#543021)
* The usage information for the qpid-config utility (that is, the output of the "qpid-config -h" command) has been updated to include a brief explanation of the exchange type. (BZ#506420)
These updated packages include many other bug fixes and enhancements. Users are directed to the Red Hat Enterprise MRG 1.3 Technical Notes for information on these changes:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1/html/Technical_N otes/index.html
All Red Hat Enterprise MRG users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements, as well as resolving the issues and adding the enhancements noted in the Red Hat Enterprise MRG 1.3 Technical Notes. After installing the updated packages, the qpidd service must be restarted ("service qpidd restart") for this update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
637944 - MRG 1.3 Released for RHEL4 642373 - CVE-2009-5005 qpid: crash on receipt of invalid AMQP data 642377 - CVE-2009-5006 qpid: crash when redeclaring the exchange with specified alternate_exchange
6. Package List:
Red Hat MRG Grid for RHEL-4 AS:
Source: classads-1.0.8-1.el4.src.rpm condor-low-latency-1.1-0.2.el4.src.rpm mrg-grid-docs-1.3-1.el4.src.rpm mrg-release-1.3-2.el4.src.rpm
i386: classads-1.0.8-1.el4.i386.rpm classads-debuginfo-1.0.8-1.el4.i386.rpm classads-devel-1.0.8-1.el4.i386.rpm classads-static-1.0.8-1.el4.i386.rpm
noarch: condor-low-latency-1.1-0.2.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm
x86_64: classads-1.0.8-1.el4.x86_64.rpm classads-debuginfo-1.0.8-1.el4.x86_64.rpm classads-devel-1.0.8-1.el4.x86_64.rpm classads-static-1.0.8-1.el4.x86_64.rpm
Red Hat MRG Grid Execute Node for RHEL-4 AS:
Source: condor-7.4.4-0.16.el4.src.rpm condor-job-hooks-1.4-5.el4.src.rpm condor-low-latency-1.1-0.2.el4.src.rpm condor-wallaby-3.6-6.el4.src.rpm mrg-grid-docs-1.3-1.el4.src.rpm mrg-release-1.3-2.el4.src.rpm
i386: condor-7.4.4-0.16.el4.i386.rpm condor-debuginfo-7.4.4-0.16.el4.i386.rpm condor-kbdd-7.4.4-0.16.el4.i386.rpm condor-qmf-7.4.4-0.16.el4.i386.rpm
noarch: condor-job-hooks-1.4-5.el4.noarch.rpm condor-low-latency-1.1-0.2.el4.noarch.rpm condor-wallaby-client-3.6-6.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm python-condorutils-1.4-5.el4.noarch.rpm
x86_64: condor-7.4.4-0.16.el4.x86_64.rpm condor-debuginfo-7.4.4-0.16.el4.x86_64.rpm condor-kbdd-7.4.4-0.16.el4.x86_64.rpm condor-qmf-7.4.4-0.16.el4.x86_64.rpm
Red Hat MRG Messaging for RHEL-4 AS:
Source: mrg-release-1.3-2.el4.src.rpm python-qmf-0.7.946106-13.el4.src.rpm python-qpid-0.7.946106-14.el4.src.rpm qpid-java-0.7.946106-11.el4.src.rpm qpid-tests-0.7.946106-1.el4.src.rpm qpid-tools-0.7.946106-11.el4.src.rpm rhm-docs-0.7.946106-8.el4.src.rpm sesame-0.7.4297-3.el4.src.rpm
i386: sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm
noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm rhm-docs-0.7.946106-8.el4.noarch.rpm
x86_64: sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm
Red Hat MRG Messaging Base for RHEL-4 AS:
Source: mrg-release-1.3-2.el4.src.rpm python-qmf-0.7.946106-13.el4.src.rpm python-qpid-0.7.946106-14.el4.src.rpm qpid-cpp-mrg-0.7.946106-17.el4.src.rpm qpid-java-0.7.946106-11.el4.src.rpm qpid-tests-0.7.946106-1.el4.src.rpm qpid-tools-0.7.946106-11.el4.src.rpm sesame-0.7.4297-3.el4.src.rpm
i386: qmf-0.7.946106-17.el4.i386.rpm qmf-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.i386.rpm qpid-cpp-server-0.7.946106-17.el4.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-server-store-0.7.946106-17.el4.i386.rpm qpid-cpp-server-xml-0.7.946106-17.el4.i386.rpm sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm
noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm
x86_64: qmf-0.7.946106-17.el4.x86_64.rpm qmf-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-store-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-xml-0.7.946106-17.el4.x86_64.rpm sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm
Red Hat MRG Grid for RHEL-4 ES:
Source: classads-1.0.8-1.el4.src.rpm condor-low-latency-1.1-0.2.el4.src.rpm mrg-grid-docs-1.3-1.el4.src.rpm mrg-release-1.3-2.el4.src.rpm
i386: classads-1.0.8-1.el4.i386.rpm classads-debuginfo-1.0.8-1.el4.i386.rpm classads-devel-1.0.8-1.el4.i386.rpm classads-static-1.0.8-1.el4.i386.rpm
noarch: condor-low-latency-1.1-0.2.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm
x86_64: classads-1.0.8-1.el4.x86_64.rpm classads-debuginfo-1.0.8-1.el4.x86_64.rpm classads-devel-1.0.8-1.el4.x86_64.rpm classads-static-1.0.8-1.el4.x86_64.rpm
Red Hat MRG Grid Execute Node for RHEL-4 ES:
Source: condor-7.4.4-0.16.el4.src.rpm condor-job-hooks-1.4-5.el4.src.rpm condor-low-latency-1.1-0.2.el4.src.rpm condor-wallaby-3.6-6.el4.src.rpm mrg-grid-docs-1.3-1.el4.src.rpm mrg-release-1.3-2.el4.src.rpm
i386: condor-7.4.4-0.16.el4.i386.rpm condor-debuginfo-7.4.4-0.16.el4.i386.rpm condor-kbdd-7.4.4-0.16.el4.i386.rpm condor-qmf-7.4.4-0.16.el4.i386.rpm
noarch: condor-job-hooks-1.4-5.el4.noarch.rpm condor-low-latency-1.1-0.2.el4.noarch.rpm condor-wallaby-client-3.6-6.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm python-condorutils-1.4-5.el4.noarch.rpm
x86_64: condor-7.4.4-0.16.el4.x86_64.rpm condor-debuginfo-7.4.4-0.16.el4.x86_64.rpm condor-kbdd-7.4.4-0.16.el4.x86_64.rpm condor-qmf-7.4.4-0.16.el4.x86_64.rpm
Red Hat MRG Messaging for RHEL-4 ES:
Source: mrg-release-1.3-2.el4.src.rpm python-qmf-0.7.946106-13.el4.src.rpm python-qpid-0.7.946106-14.el4.src.rpm qpid-java-0.7.946106-11.el4.src.rpm qpid-tests-0.7.946106-1.el4.src.rpm qpid-tools-0.7.946106-11.el4.src.rpm rhm-docs-0.7.946106-8.el4.src.rpm sesame-0.7.4297-3.el4.src.rpm
i386: sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm
noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm rhm-docs-0.7.946106-8.el4.noarch.rpm
x86_64: sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm
Red Hat MRG Messaging Base for RHEL-4 ES:
Source: mrg-release-1.3-2.el4.src.rpm python-qmf-0.7.946106-13.el4.src.rpm python-qpid-0.7.946106-14.el4.src.rpm qpid-cpp-mrg-0.7.946106-17.el4.src.rpm qpid-java-0.7.946106-11.el4.src.rpm qpid-tests-0.7.946106-1.el4.src.rpm qpid-tools-0.7.946106-11.el4.src.rpm sesame-0.7.4297-3.el4.src.rpm
i386: qmf-0.7.946106-17.el4.i386.rpm qmf-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.i386.rpm qpid-cpp-server-0.7.946106-17.el4.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-server-store-0.7.946106-17.el4.i386.rpm qpid-cpp-server-xml-0.7.946106-17.el4.i386.rpm sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm
noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm
x86_64: qmf-0.7.946106-17.el4.x86_64.rpm qmf-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-store-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-xml-0.7.946106-17.el4.x86_64.rpm sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2009-5005.html https://www.redhat.com/security/data/cve/CVE-2009-5006.html http://www.redhat.com/security/updates/classification/#moderate index.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFMty/fXlSAg2UNWIIRAjQwAJ9Kyais3AknZWJ604+22TdGvplpRACcCUrJ aRp0UuHecA1rMRXP38zHuTo= =V7IQ -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|