Candidate: CVE-2019-0223 PublicDate: 2019-04-23 16:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0223 https://issues.apache.org/jira/browse/PROTON-2014 https://qpid.apache.org/cves/CVE-2019-0223.html https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733 https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1 https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a http://www.openwall.com/lists/oss-security/2019/04/23/4 https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E Description: While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. Ubuntu-Description: Notes: Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH] nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH] Patches_qpid-proton: upstream_qpid-proton: needs-triage precise/esm_qpid-proton: DNE trusty_qpid-proton: DNE trusty/esm_qpid-proton: DNE xenial_qpid-proton: ignored (end of standard support, was needs-triage) bionic_qpid-proton: needs-triage cosmic_qpid-proton: ignored (reached end-of-life) disco_qpid-proton: not-affected (0.22.0-3) eoan_qpid-proton: not-affected (0.22.0-3.2) focal_qpid-proton: not-affected (0.22.0-3.2) groovy_qpid-proton: not-affected (0.22.0-3.2) hirsute_qpid-proton: not-affected (0.22.0-3.2) impish_qpid-proton: not-affected (0.22.0-3.2) jammy_qpid-proton: not-affected (0.22.0-3.2) devel_qpid-proton: not-affected (0.22.0-3.2)