Debian Package Tracker - rabbitmq-server

general

source: rabbitmq-server (main)
version: 3.7.8-4
maintainer: Debian OpenStack [DMD]
uploaders: James Page [DMD] – Thomas Goirand [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.8.4-1
oldstable: 3.3.5-1.1+deb8u1
old-sec: 3.3.5-1.1+deb8u1
stable: 3.6.6-1
stable-bpo: 3.6.10-1~bpo9+1
testing: 3.7.8-4
unstable: 3.7.8-4

versioned links

2.8.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.5-1.1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.10-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.8-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

rabbitmq-server

action needed

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2018-1279: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.

Please fix it.

Created: 2018-12-21 Last update: 2019-01-11 06:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-1279: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.

Please fix it.

Created: 2018-12-21 Last update: 2019-01-11 06:30

lintian reports 9 warnings high

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2015-09-15 Last update: 2018-10-26 04:52

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2018-10-01 Last update: 2019-02-23 15:04

1 new commit since last upload, time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.7.8-5, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 4adc87a63f56d30961eadd1def8850523804f94b
Author: Ondřej Nový <onovy@debian.org>
Date:   Wed Jan 9 14:42:13 2019 +0100

    Removing gbp.conf, not used anymore or should be specified in the developers dotfiles

Created: 2019-01-09 Last update: 2019-02-23 14:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-11-09 Last update: 2019-02-23 12:52

4 ignored security issues in stretch low

There are 4 open security issues in stretch.

4 issues skipped by the security teams:

CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4966: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2018-1279: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.

Please fix them.

Created: 2017-05-08 Last update: 2019-01-11 06:30

7 ignored security issues in jessie low

There are 7 open security issues in jessie.

7 issues skipped by the security teams:

CVE-2015-8786: The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2018-1279: Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2014-9650: CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
CVE-2015-0862: Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.
CVE-2014-9649: Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message.

Please fix them.

Created: 2015-07-12 Last update: 2019-01-11 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2018-12-23 17:15

news

[rss feed]

[2018-11-05] rabbitmq-server 3.7.8-4 MIGRATED to testing (Debian testing watch)
[2018-11-04] rabbitmq-server REMOVED from testing (Debian testing watch)
[2018-10-30] Accepted rabbitmq-server 3.7.8-4 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-3 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-2 (source all) into unstable (Thomas Goirand)
[2018-10-25] Accepted rabbitmq-server 3.7.8-1 (source all) into unstable (Thomas Goirand)
[2017-10-25] Accepted rabbitmq-server 3.6.10-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Andreas Tille)
[2017-07-04] rabbitmq-server 3.6.10-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted rabbitmq-server 3.6.10-1 (source all) into unstable (Thomas Goirand)
[2017-01-15] Accepted rabbitmq-server 3.3.5-1.1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Thomas Goirand)
[2017-01-09] rabbitmq-server 3.6.6-1 MIGRATED to testing (Debian testing watch)
[2017-01-03] Accepted rabbitmq-server 3.6.6-1 (source) into unstable (Ondřej Kobližek) (signed by: Ondřej Nový)
[2016-11-09] rabbitmq-server 3.6.5-1 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted rabbitmq-server 3.6.5-1 (source all) into unstable (Thomas Goirand)
[2016-10-25] rabbitmq-server REMOVED from testing (Debian testing watch)
[2016-01-24] rabbitmq-server 3.5.7-1 MIGRATED to testing (Debian testing watch)
[2016-01-18] Accepted rabbitmq-server 3.5.7-1 (source all) into unstable (James Page)
[2015-11-16] rabbitmq-server 3.5.4-3.1 MIGRATED to testing (Britney)
[2015-11-10] Accepted rabbitmq-server 3.5.4-3.1 (source) into unstable (Antonio Terceiro)
[2015-10-12] rabbitmq-server 3.5.4-3 MIGRATED to testing (Britney)
[2015-10-06] Accepted rabbitmq-server 3.5.4-3 (source all) into unstable (Thomas Goirand)
[2015-10-05] Accepted rabbitmq-server 3.5.4-2 (source all) into unstable (Thomas Goirand)
[2015-08-10] rabbitmq-server 3.5.4-1 MIGRATED to testing (Britney)
[2015-08-04] Accepted rabbitmq-server 3.5.4-1 (source all) into unstable (James Page)
[2015-06-08] rabbitmq-server 3.5.1-2 MIGRATED to testing (Britney)
[2015-06-02] Accepted rabbitmq-server 3.5.1-2 (source all) into unstable (James Page)
[2015-05-19] rabbitmq-server 3.5.1-1 MIGRATED to testing (Britney)
[2015-05-13] Accepted rabbitmq-server 3.5.1-1 (source all) into unstable (James Page)
[2015-04-27] rabbitmq-server 3.4.3-2 MIGRATED to testing (Britney)
[2015-02-02] Accepted rabbitmq-server 3.4.3-2 (source all) into unstable (James Page)

bugs [bug history graph]

all: 7
RC: 0
I&N: 7
M&W: 0
F&P: 0
patch: 2

links

homepage
lintian (0, 9)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.7.8-4ubuntu2
18 bugs (1 patch)
patches for 3.7.8-4ubuntu2