Security update for qpid-proton SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1074-1 Final 1 1 2024-03-30T00:04:07Z current 2024-03-30T00:04:07Z 2024-03-30T00:04:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for qpid-proton This update for qpid-proton fixes the following issues: - CVE-2019-0223: Fixed TLS Man in the Middle Vulnerability (bsc#1133158). The following non-security bugs were fixed: - Fix build with OpenSSL 3.0.0 (bsc#1172267) - Sort linked .o files to make package build reproducible (bsc#1041090) - Fix build with gcc8 (bsc#1084627) - Move libqpid-proton-core to a different package to fix a rpmlint error (bsc#1191783) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1074,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1074,openSUSE-SLE-15.5-2024-1074 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241074-1/ Link for SUSE-SU-2024:1074-1 https://lists.suse.com/pipermail/sle-updates/2024-April/034819.html E-Mail link for SUSE-SU-2024:1074-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1041090 SUSE Bug 1041090 https://bugzilla.suse.com/1084627 SUSE Bug 1084627 https://bugzilla.suse.com/1133158 SUSE Bug 1133158 https://bugzilla.suse.com/1172267 SUSE Bug 1172267 https://bugzilla.suse.com/1191783 SUSE Bug 1191783 https://www.suse.com/security/cve/CVE-2019-0223/ SUSE CVE CVE-2019-0223 page SUSE Linux Enterprise Module for Package Hub 15 SP5 openSUSE Leap 15.5 libqpid-proton-core10-0.38.0-150000.6.3.1 libqpid-proton-cpp12-0.38.0-150000.6.3.1 libqpid-proton-proactor1-0.38.0-150000.6.3.1 libqpid-proton11-0.38.0-150000.6.3.1 python3-python-qpid-proton-0.38.0-150000.6.3.1 qpid-proton-devel-0.38.0-150000.6.3.1 qpid-proton-devel-doc-0.38.0-150000.6.3.1 qpid-proton-test-0.38.0-150000.6.3.1 python3-python-qpid-proton-0.38.0-150000.6.3.1 as a component of openSUSE Leap 15.5 qpid-proton-devel-0.38.0-150000.6.3.1 as a component of openSUSE Leap 15.5 qpid-proton-devel-doc-0.38.0-150000.6.3.1 as a component of openSUSE Leap 15.5 While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. CVE-2019-0223 openSUSE Leap 15.5:python3-python-qpid-proton-0.38.0-150000.6.3.1 openSUSE Leap 15.5:qpid-proton-devel-0.38.0-150000.6.3.1 openSUSE Leap 15.5:qpid-proton-devel-doc-0.38.0-150000.6.3.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241074-1/ https://www.suse.com/security/cve/CVE-2019-0223.html CVE-2019-0223 https://bugzilla.suse.com/1133158 SUSE Bug 1133158