Debian Package Tracker - rabbitmq-server

general

source: rabbitmq-server (main)
version: 3.8.9-1
maintainer: Debian OpenStack (DMD)
uploaders: James Page [DMD] – Thomas Goirand [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.3.5-1.1+deb8u1
o-o-sec: 3.3.5-1.1+deb8u1
oldstable: 3.6.6-1
old-bpo: 3.6.10-1~bpo9+1
stable: 3.7.8-4
testing: 3.8.9-1
unstable: 3.8.9-1

versioned links

3.3.5-1.1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.10-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.8-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

rabbitmq-server (6 bugs: 0, 6, 0, 0)

action needed

A new upstream version is available: 3.8.10 high

A new upstream version 3.8.10 is available, you should consider packaging it.

Created: 2021-01-21 Last update: 2021-01-24 20:34

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Please fix them.

Created: 2019-11-27 Last update: 2020-10-06 08:37

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Please fix them.

Created: 2019-11-27 Last update: 2020-10-06 08:37

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-11-09 Last update: 2021-01-24 20:38

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.8.9-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 02ca091d15ac35df0fba06b4e0ea4158f5325223
Author: Thomas Goirand <zigo@debian.org>
Date:   Sun Nov 22 00:24:38 2020 +0100

      * Do not use the /usr/sbin/rabbitmq-server wrapper in systemd service file
        (Closes: #947873).
      * Use logrotate daily instead of weekly, and do not override the number of
        logs, so we don't keep too much of them.

Created: 2020-11-22 Last update: 2021-01-23 07:06

lintian reports 17 warnings normal

Lintian reports 17 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-08-22 Last update: 2020-10-22 04:34

6 ignored security issues in stretch low

There are 6 open security issues in stretch.

6 issues skipped by the security teams:

CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4966: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Please fix them.

Created: 2017-05-08 Last update: 2020-10-06 08:37

3 ignored security issues in buster low

There are 3 open security issues in buster.

3 issues skipped by the security teams:

CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Please fix them.

Created: 2019-10-21 Last update: 2020-10-06 08:37

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.2.1).

Created: 2018-12-23 Last update: 2020-11-17 05:41

news

[rss feed]

[2020-10-06] rabbitmq-server 3.8.9-1 MIGRATED to testing (Debian testing watch)
[2020-10-01] Accepted rabbitmq-server 3.8.9-1 (source) into unstable (Thomas Goirand)
[2020-09-17] rabbitmq-server 3.8.5-1 MIGRATED to testing (Debian testing watch)
[2020-07-22] Accepted rabbitmq-server 3.8.5-1 (source) into unstable (Thomas Goirand)
[2020-05-19] rabbitmq-server 3.8.3-1 MIGRATED to testing (Debian testing watch)
[2020-05-14] Accepted rabbitmq-server 3.8.3-1 (source) into unstable (Thomas Goirand) (signed by: James Page)
[2019-09-28] rabbitmq-server 3.7.18-1 MIGRATED to testing (Debian testing watch)
[2019-09-23] Accepted rabbitmq-server 3.7.18-1 (source) into unstable (Thomas Goirand)
[2019-06-18] Accepted rabbitmq-server 3.7.8-5 (source all) into unstable (Thomas Goirand)
[2018-11-05] rabbitmq-server 3.7.8-4 MIGRATED to testing (Debian testing watch)
[2018-11-04] rabbitmq-server REMOVED from testing (Debian testing watch)
[2018-10-30] Accepted rabbitmq-server 3.7.8-4 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-3 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-2 (source all) into unstable (Thomas Goirand)
[2018-10-25] Accepted rabbitmq-server 3.7.8-1 (source all) into unstable (Thomas Goirand)
[2017-10-25] Accepted rabbitmq-server 3.6.10-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Andreas Tille)
[2017-07-04] rabbitmq-server 3.6.10-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted rabbitmq-server 3.6.10-1 (source all) into unstable (Thomas Goirand)
[2017-01-15] Accepted rabbitmq-server 3.3.5-1.1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Thomas Goirand)
[2017-01-09] rabbitmq-server 3.6.6-1 MIGRATED to testing (Debian testing watch)
[2017-01-03] Accepted rabbitmq-server 3.6.6-1 (source) into unstable (Ondřej Kobližek) (signed by: Ondřej Nový)
[2016-11-09] rabbitmq-server 3.6.5-1 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted rabbitmq-server 3.6.5-1 (source all) into unstable (Thomas Goirand)
[2016-10-25] rabbitmq-server REMOVED from testing (Debian testing watch)
[2016-01-24] rabbitmq-server 3.5.7-1 MIGRATED to testing (Debian testing watch)
[2016-01-18] Accepted rabbitmq-server 3.5.7-1 (source all) into unstable (James Page)
[2015-11-16] rabbitmq-server 3.5.4-3.1 MIGRATED to testing (Britney)
[2015-11-10] Accepted rabbitmq-server 3.5.4-3.1 (source) into unstable (Antonio Terceiro)
[2015-10-12] rabbitmq-server 3.5.4-3 MIGRATED to testing (Britney)
[2015-10-06] Accepted rabbitmq-server 3.5.4-3 (source all) into unstable (Thomas Goirand)

bugs [bug history graph]

all: 10
RC: 0
I&N: 9
M&W: 0
F&P: 1
patch: 0

links

homepage
lintian (0, 17)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.8.9-1
19 bugs