>From the peanut gallery: I would be helpful to include a link to the download page and the main website in announcements such as these.
On 30 November 2017 at 17:15, Keith Wall <[email protected]> wrote: > CVE-2017-15701: Apache Qpid Broker-J denial of service vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: 6.1.0, 6.1.1, 6.1.2, 6.1.3, and 6.1.4 > > Description: > > The broker does not properly enforce a maximum frame size in AMQP 1.0 > frames. A remote unauthenticated attacker could exploit this to cause > the broker to exhaust all available memory and eventually terminate. > Older AMQP protocols are not affected. > > Resolution: > > Users who have AMQP 1.0 support enabled (default) should upgrade their > Qpid Broker-J to version 6.1.5 or later. > > Mitigation: > > If upgrading the broker is not possible, users can choose to disable > AMQP 1.0 by either setting the system property > "qpid.plugin.disabled:protocolenginecreator.AMQP_1_0" to "true", > excluding "AMQP_1_0" from the supported protocol list on all AMQP > ports, or by removing the AMQP 1.0 related jar files from the Java > classpath. > > References: > > https://issues.apache.org/jira/browse/QPID-7947 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
