{"id":"UBUNTU-CVE-2019-0223","details":"While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.","modified":"2025-10-24T04:47:22Z","published":"2019-04-23T16:29:00Z","upstream":["CVE-2019-0223"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-0223"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/PROTON-2014"},{"type":"REPORT","url":"https://qpid.apache.org/cves/CVE-2019-0223.html"},{"type":"REPORT","url":"https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733"},{"type":"REPORT","url":"https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1"},{"type":"REPORT","url":"https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd"},{"type":"REPORT","url":"https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2019/04/23/4"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-0223"}],"affected":[{"package":{"name":"qpid-proton","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/qpid-proton@0.10-2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.7-2","0.10-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libqpid-proton2","binary_version":"0.10-2"},{"binary_name":"libqpid-proton2-dev","binary_version":"0.10-2"},{"binary_name":"libqpid-proton2-dev-examples","binary_version":"0.10-2"},{"binary_name":"python-qpid-proton","binary_version":"0.10-2"},{"binary_name":"python3-qpid-proton","binary_version":"0.10-2"},{"binary_name":"qpid-proton-dump","binary_version":"0.10-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-0223.json"}},{"package":{"name":"qpid-proton","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/qpid-proton@0.14.0-5.1ubuntu1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.14.0-5.1","0.14.0-5.1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libqpid-proton-cpp8","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"libqpid-proton-cpp8-dev","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"libqpid-proton8","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"libqpid-proton8-dev","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"libqpid-proton8-dev-examples","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"python-qpid-proton","binary_version":"0.14.0-5.1ubuntu1"},{"binary_name":"python3-qpid-proton","binary_version":"0.14.0-5.1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-0223.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}