Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user. This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections. Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable. These classes can create an unencrypted connections if the "amqps://" URL prefix is used. The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix). References: http://seclists.org/bugtraq/2016/Mar/166 Upstream fix: https://issues.apache.org/jira/browse/PROTON-1157 Upstream fixed release: http://qpid.apache.org/releases/qpid-proton-0.12.1/
Created qpid-proton tracking bugs for this issue: Affects: fedora-all [bug 1320843] Affects: epel-6 [bug 1320845] Affects: epel-7 [bug 1320846]
Created qpid-proton-java tracking bugs for this issue: Affects: fedora-all [bug 1320844]
Statement: This issue affects the versions of qpid-proton as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.