It was reported [1] that an attacker can gain access to qpidd as an anonymous user, even if the ANONYMOUS mechanism is disallowed. A patch is available (https://issues.apache.org/jira/browse/QPID-6325) that addresses this vulnerability. The fix will be included in subsequent releases, but can be applied to 0.30 if desired. [1]: http://seclists.org/bugtraq/2015/Jan/122
Created qpid-cpp tracking bugs for this issue: Affects: fedora-all [bug 1186310] Affects: epel-7 [bug 1186311]
Upstream commits: https://svn.apache.org/viewvc?view=revision&revision=1653216 https://svn.apache.org/viewvc?view=revision&revision=1653547
This issue has been addressed in the following products: MRG for RHEL-5 v. 2 Via RHSA-2015:0662 https://rhn.redhat.com/errata/RHSA-2015-0662.html
This issue has been addressed in the following products: MRG v.2 for RHEL-7 Via RHSA-2015:0660 https://rhn.redhat.com/errata/RHSA-2015-0660.html
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:0661 https://rhn.redhat.com/errata/RHSA-2015-0661.html
This issue has been addressed in the following products: MRG for RHEL-6 v.3 Via RHSA-2015:0707 https://rhn.redhat.com/errata/RHSA-2015-0707.html
This issue has been addressed in the following products: MRG Messaging v.3 for RHEL-7 Via RHSA-2015:0708 https://access.redhat.com/errata/RHSA-2015:0708
Is there a statement of applicability to the qpid-cpp packages in the base RHEL channels outside of MRG?
The qpid-cpp packages in Red Hat Enterprise Linux 6 are deprecated, see bug 1181721 comment 11.
qpid-cpp-0.30-12.el7, qpid-qmf-0.28-27.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
qpid-cpp-0.32-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.