Debian Package Tracker - rabbitmq-server

general

source: rabbitmq-server (main)
version: 3.7.18-1
maintainer: Debian OpenStack (DMD)
uploaders: James Page [DMD] – Thomas Goirand [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.3.5-1.1+deb8u1
o-o-sec: 3.3.5-1.1+deb8u1
oldstable: 3.6.6-1
old-bpo: 3.6.10-1~bpo9+1
stable: 3.7.8-4
testing: 3.7.18-1
unstable: 3.7.18-1

versioned links

3.3.5-1.1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.10-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.8-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

rabbitmq-server (2 bugs: 0, 2, 0, 0)

action needed

Marked for autoremoval on 12 November due to elixir-lang: #941124 high

Version 3.7.18-1 of rabbitmq-server is marked for autoremoval from testing on Tue 12 Nov 2019. It depends (transitively) on elixir-lang, affected by #941124. You should try to prevent the removal by fixing these RC bugs.

Created: 2019-10-11 Last update: 2019-10-23 07:17

7 security issues in jessie high

There are 7 open security issues in jessie.

1 important issue:

CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

6 issues skipped by the security teams:

CVE-2014-9650: CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
CVE-2014-9649: Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2015-8786: The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2015-0862: Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.

Please fix them.

Created: 2015-07-12 Last update: 2019-10-21 19:14

4 security issues in stretch high

There are 4 open security issues in stretch.

1 important issue:

CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

3 issues skipped by the security teams:

CVE-2017-4966: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.

Please fix them.

Created: 2017-05-08 Last update: 2019-10-21 19:14

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.

Please fix it.

Created: 2019-10-21 Last update: 2019-10-21 19:14

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-11-09 Last update: 2019-10-23 04:19

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.7.18-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 72b2056cf57d7c0944b0e5dc6c61feb7d68d8267
Author: Ondřej Nový <onovy@debian.org>
Date:   Fri Oct 18 16:32:08 2019 +0200

    Remove gbp.conf, not used anymore or should be specified in the developers dotfiles

Created: 2019-10-18 Last update: 2019-10-18 15:51

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-09-03 Last update: 2019-09-30 01:18

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2019-09-29 23:41

news

[rss feed]

[2019-09-28] rabbitmq-server 3.7.18-1 MIGRATED to testing (Debian testing watch)
[2019-09-23] Accepted rabbitmq-server 3.7.18-1 (source) into unstable (Thomas Goirand)
[2019-06-18] Accepted rabbitmq-server 3.7.8-5 (source all) into unstable (Thomas Goirand)
[2018-11-05] rabbitmq-server 3.7.8-4 MIGRATED to testing (Debian testing watch)
[2018-11-04] rabbitmq-server REMOVED from testing (Debian testing watch)
[2018-10-30] Accepted rabbitmq-server 3.7.8-4 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-3 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-2 (source all) into unstable (Thomas Goirand)
[2018-10-25] Accepted rabbitmq-server 3.7.8-1 (source all) into unstable (Thomas Goirand)
[2017-10-25] Accepted rabbitmq-server 3.6.10-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Andreas Tille)
[2017-07-04] rabbitmq-server 3.6.10-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted rabbitmq-server 3.6.10-1 (source all) into unstable (Thomas Goirand)
[2017-01-15] Accepted rabbitmq-server 3.3.5-1.1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Thomas Goirand)
[2017-01-09] rabbitmq-server 3.6.6-1 MIGRATED to testing (Debian testing watch)
[2017-01-03] Accepted rabbitmq-server 3.6.6-1 (source) into unstable (Ondřej Kobližek) (signed by: Ondřej Nový)
[2016-11-09] rabbitmq-server 3.6.5-1 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted rabbitmq-server 3.6.5-1 (source all) into unstable (Thomas Goirand)
[2016-10-25] rabbitmq-server REMOVED from testing (Debian testing watch)
[2016-01-24] rabbitmq-server 3.5.7-1 MIGRATED to testing (Debian testing watch)
[2016-01-18] Accepted rabbitmq-server 3.5.7-1 (source all) into unstable (James Page)
[2015-11-16] rabbitmq-server 3.5.4-3.1 MIGRATED to testing (Britney)
[2015-11-10] Accepted rabbitmq-server 3.5.4-3.1 (source) into unstable (Antonio Terceiro)
[2015-10-12] rabbitmq-server 3.5.4-3 MIGRATED to testing (Britney)
[2015-10-06] Accepted rabbitmq-server 3.5.4-3 (source all) into unstable (Thomas Goirand)
[2015-10-05] Accepted rabbitmq-server 3.5.4-2 (source all) into unstable (Thomas Goirand)
[2015-08-10] rabbitmq-server 3.5.4-1 MIGRATED to testing (Britney)
[2015-08-04] Accepted rabbitmq-server 3.5.4-1 (source all) into unstable (James Page)
[2015-06-08] rabbitmq-server 3.5.1-2 MIGRATED to testing (Britney)
[2015-06-02] Accepted rabbitmq-server 3.5.1-2 (source all) into unstable (James Page)
[2015-05-19] rabbitmq-server 3.5.1-1 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 12)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.7.8-4ubuntu2
20 bugs (1 patch)
patches for 3.7.8-4ubuntu2