diff -Nru qpid-cpp-0.16/debian/changelog qpid-cpp-0.16/debian/changelog --- qpid-cpp-0.16/debian/changelog 2012-07-04 08:00:12.000000000 +0000 +++ qpid-cpp-0.16/debian/changelog 2012-09-28 22:38:26.000000000 +0000 @@ -1,3 +1,17 @@ +qpid-cpp (0.16-7ubuntu1) quantal; urgency=low + + * Merge from Debian, remaining changes: + - Disable testsuite due to IPv6 failure see 1016778. + + -- Oussama Bounaim Fri, 28 Sep 2012 09:22:53 +0100 + +qpid-cpp (0.16-7) unstable; urgency=low + + * Fixes security issue CVE-2012-3467 which may allow bypassing the + broker authentication mechanism. Closes: #684456. + + -- Cajus Pollmeier Fri, 10 Aug 2012 20:39:06 +0200 + qpid-cpp (0.16-6ubuntu1) quantal; urgency=low * Disable testsuite due to IPv6 failure see 1016778. diff -Nru qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch --- qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch 1970-01-01 00:00:00.000000000 +0000 +++ qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch 2012-09-28 22:38:26.000000000 +0000 @@ -0,0 +1,243 @@ +--- a/src/qpid/broker/Connection.cpp ++++ b/src/qpid/broker/Connection.cpp +@@ -87,10 +87,14 @@ + bool link_, + uint64_t objectId_, + bool shadow_, +- bool delayManagement) : ++ bool delayManagement, ++ bool authenticated_ ++) : + ConnectionState(out_, broker_), + securitySettings(external), +- adapter(*this, link_, shadow_), ++ shadow(shadow_), ++ authenticated(authenticated_), ++ adapter(*this, link_), + link(link_), + mgmtClosing(false), + mgmtId(mgmtId_), +@@ -100,7 +104,6 @@ + timer(broker_.getTimer()), + errorListener(0), + objectId(objectId_), +- shadow(shadow_), + outboundTracker(*this) + { + outboundTracker.wrap(out); +--- a/src/qpid/broker/Connection.h ++++ b/src/qpid/broker/Connection.h +@@ -86,7 +86,8 @@ + bool isLink = false, + uint64_t objectId = 0, + bool shadow=false, +- bool delayManagement = false); ++ bool delayManagement = false, ++ bool authenticated=true); + + ~Connection (); + +@@ -146,6 +147,9 @@ + /** True if this is a shadow connection in a cluster. */ + bool isShadow() { return shadow; } + ++ /** True if this connection is authenticated */ ++ bool isAuthenticated() const { return authenticated; } ++ + // Used by cluster to update connection status + sys::AggregateOutput& getOutputTasks() { return outputTasks; } + +@@ -174,6 +178,8 @@ + + ChannelMap channels; + qpid::sys::SecuritySettings securitySettings; ++ bool shadow; ++ bool authenticated; + ConnectionHandler adapter; + const bool link; + bool mgmtClosing; +@@ -188,7 +194,6 @@ + boost::intrusive_ptr timeoutTimer; + ErrorListener* errorListener; + uint64_t objectId; +- bool shadow; + framing::FieldTable clientProperties; + + /** +--- a/src/qpid/broker/ConnectionHandler.cpp ++++ b/src/qpid/broker/ConnectionHandler.cpp +@@ -102,9 +102,10 @@ + handler->secured = secured; + } + +-ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient, bool isShadow) : handler(new Handler(connection, isClient, isShadow)) {} ++ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient) : ++ handler(new Handler(connection, isClient)) {} + +-ConnectionHandler::Handler::Handler(Connection& c, bool isClient, bool isShadow) : ++ConnectionHandler::Handler::Handler(Connection& c, bool isClient) : + proxy(c.getOutput()), + connection(c), serverMode(!isClient), secured(0), + isOpen(false) +@@ -115,14 +116,13 @@ + + properties.setString(QPID_FED_TAG, connection.getBroker().getFederationTag()); + +- authenticator = SaslAuthenticator::createAuthenticator(c, isShadow); ++ authenticator = SaslAuthenticator::createAuthenticator(c); + authenticator->getMechanisms(mechanisms); + + Array locales(0x95); + boost::shared_ptr l(new Str16Value(en_US)); + locales.add(l); + proxy.start(properties, mechanisms, locales); +- + } + + maxFrameSize = (64 * 1024) - 1; +--- a/src/qpid/broker/ConnectionHandler.h ++++ b/src/qpid/broker/ConnectionHandler.h +@@ -61,7 +61,7 @@ + SecureConnection* secured; + bool isOpen; + +- Handler(Connection& connection, bool isClient, bool isShadow=false); ++ Handler(Connection& connection, bool isClient); + ~Handler(); + void startOk(const qpid::framing::ConnectionStartOkBody& body); + void startOk(const qpid::framing::FieldTable& clientProperties, +@@ -99,7 +99,7 @@ + + bool handle(const qpid::framing::AMQMethodBody& method); + public: +- ConnectionHandler(Connection& connection, bool isClient, bool isShadow=false ); ++ ConnectionHandler(Connection& connection, bool isClient ); + void close(framing::connection::CloseCode code, const std::string& text); + void heartbeat(); + void handle(framing::AMQFrame& frame); +--- a/src/qpid/broker/SaslAuthenticator.cpp ++++ b/src/qpid/broker/SaslAuthenticator.cpp +@@ -163,13 +163,17 @@ + + #endif + +-std::auto_ptr SaslAuthenticator::createAuthenticator(Connection& c, bool isShadow ) ++std::auto_ptr SaslAuthenticator::createAuthenticator(Connection& c) + { + if (c.getBroker().getOptions().auth) { +- if ( isShadow ) +- return std::auto_ptr(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); ++ // The cluster creates non-authenticated connections for internal shadow connections ++ // that are never connected to an external client. ++ if ( !c.isAuthenticated() ) ++ return std::auto_ptr( ++ new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); + else +- return std::auto_ptr(new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); ++ return std::auto_ptr( ++ new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); + } else { + QPID_LOG(debug, "SASL: No Authentication Performed"); + return std::auto_ptr(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); +--- a/src/qpid/broker/SaslAuthenticator.h ++++ b/src/qpid/broker/SaslAuthenticator.h +@@ -54,7 +54,7 @@ + static void init(const std::string& saslName, std::string const & saslConfigPath ); + static void fini(void); + +- static std::auto_ptr createAuthenticator(Connection& connection, bool isShadow); ++ static std::auto_ptr createAuthenticator(Connection& connection); + + virtual void callUserIdCallbacks() { } + }; +--- a/src/qpid/cluster/Connection.cpp ++++ b/src/qpid/cluster/Connection.cpp +@@ -82,7 +82,9 @@ + const std::string& mgmtId, + const ConnectionId& id, const qpid::sys::SecuritySettings& external) + : cluster(c), self(id), catchUp(false), announced(false), output(*this, out), +- connectionCtor(&output, cluster.getBroker(), mgmtId, external, false, 0, true), ++ connectionCtor(&output, cluster.getBroker(), mgmtId, external, ++ false/*isLink*/, 0/*objectId*/, true/*shadow*/, false/*delayManagement*/, ++ false/*authenticated*/), + expectProtocolHeader(false), + mcastFrameHandler(cluster.getMulticast(), self), + updateIn(c.getUpdateReceiver()), +@@ -99,9 +101,10 @@ + external, + isLink, + isCatchUp ? ++catchUpId : 0, +- // The first catch-up connection is not considered a shadow +- // as it needs to be authenticated. +- isCatchUp && self.second > 1), ++ // The first catch-up connection is not a shadow ++ isCatchUp && self.second > 1, ++ false, // delayManagement ++ true), // catch up connecytions are authenticated + expectProtocolHeader(isLink), + mcastFrameHandler(cluster.getMulticast(), self), + updateIn(c.getUpdateReceiver()), +--- a/src/qpid/cluster/Connection.h ++++ b/src/qpid/cluster/Connection.h +@@ -226,6 +226,7 @@ + uint64_t objectId; + bool shadow; + bool delayManagement; ++ bool authenticated; + + ConnectionCtor( + sys::ConnectionOutputHandler* out_, +@@ -235,17 +236,18 @@ + bool isLink_=false, + uint64_t objectId_=0, + bool shadow_=false, +- bool delayManagement_=false ++ bool delayManagement_=false, ++ bool authenticated_=true + ) : out(out_), broker(broker_), mgmtId(mgmtId_), external(external_), + isLink(isLink_), objectId(objectId_), shadow(shadow_), +- delayManagement(delayManagement_) ++ delayManagement(delayManagement_), authenticated(authenticated_) + {} + + std::auto_ptr construct() { + return std::auto_ptr( + new broker::Connection( + out, broker, mgmtId, external, isLink, objectId, +- shadow, delayManagement) ++ shadow, delayManagement, authenticated) + ); + } + }; +--- a/src/tests/cluster_tests.py ++++ b/src/tests/cluster_tests.py +@@ -227,6 +227,18 @@ + self.assertEqual("x", cluster[0].get_message("q").content) + self.assertEqual("y", cluster[1].get_message("q").content) + ++ def test_other_mech(self): ++ """Test using a mechanism other than PLAIN/ANONYMOUS for cluster update authentication. ++ Regression test for https://issues.apache.org/jira/browse/QPID-3849""" ++ sasl_config=os.path.join(self.rootdir, "sasl_config") ++ cluster = self.cluster(2, args=["--auth", "yes", "--sasl-config", sasl_config, ++ "--cluster-username=zig", ++ "--cluster-password=zig", ++ "--cluster-mechanism=DIGEST-MD5"]) ++ cluster[0].connect() ++ cluster.start() # Before the fix this broker falied to join the cluster. ++ cluster[2].connect() ++ + def test_link_events(self): + """Regression test for https://bugzilla.redhat.com/show_bug.cgi?id=611543""" + args = ["--mgmt-pub-interval", 1] # Publish management information every second. +--- a/src/tests/sasl_test_setup.sh ++++ b/src/tests/sasl_test_setup.sh +@@ -30,7 +30,7 @@ + auxprop_plugin: sasldb + sasldb_path: $PWD/sasl_config/qpidd.sasldb + sql_select: dummy select +-mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL ++mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL CRAM-MD5 + EOF + + # Populate temporary sasl db. diff -Nru qpid-cpp-0.16/debian/patches/series qpid-cpp-0.16/debian/patches/series --- qpid-cpp-0.16/debian/patches/series 2012-05-24 11:08:09.000000000 +0000 +++ qpid-cpp-0.16/debian/patches/series 2012-09-28 22:38:26.000000000 +0000 @@ -1,3 +1,4 @@ +CVE-2012-3467.patch disable-ssl-test.patch CVE-2012-2145.patch autotools.patch