CVE-2016-2166

NameCVE-2016-2166
DescriptionThe (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qpid-proton (PTS)jessie0.7-2fixed
stretch0.14.0-5fixed
buster0.22.0-3fixed
bullseye0.22.0-5.1fixed
bookworm0.37.0-2fixed
sid, trixie0.37.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qpid-protonsource(unstable)(not affected)

Notes

- qpid-proton <not-affected> (Vulnerable code not present)
https://issues.apache.org/jira/browse/PROTON-1157
http://qpid.apache.org/releases/qpid-proton-0.12.1/
Affects Qpid Proton python API starting at 0.9 up to and including 0.12.0

Search for package or bug name: Reporting problems