Debian Package Tracker - rabbitmq-server

general

source: rabbitmq-server (main)
version: 3.7.18-1
maintainer: Debian OpenStack (DMD)
uploaders: James Page [DMD] – Thomas Goirand [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.3.5-1.1+deb8u1
o-o-sec: 3.3.5-1.1+deb8u1
oldstable: 3.6.6-1
old-bpo: 3.6.10-1~bpo9+1
stable: 3.7.8-4
testing: 3.7.18-1
unstable: 3.7.18-1

versioned links

3.3.5-1.1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.10-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.8-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

rabbitmq-server (6 bugs: 0, 6, 0, 0)

action needed

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Please fix them.

Created: 2019-11-27 Last update: 2020-01-02 22:07

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Please fix them.

Created: 2019-11-27 Last update: 2020-01-02 22:07

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-11-09 Last update: 2020-02-16 16:55

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.7.18-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 24754f929e886ea5ff5373d5d9ba6c1294cf32a4
Author: Thomas Goirand <zigo@debian.org>
Date:   Tue Nov 26 13:28:38 2019 +0100

      * Resolve issues with startup of RabbitMQ with erlang provided
        epmd daemon. See Ubuntu bug:
        https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/1808766

commit 72b2056cf57d7c0944b0e5dc6c61feb7d68d8267
Author: Ondřej Nový <onovy@debian.org>
Date:   Fri Oct 18 16:32:08 2019 +0200

    Remove gbp.conf, not used anymore or should be specified in the developers dotfiles

Created: 2019-10-18 Last update: 2020-02-12 13:20

3 ignored security issues in buster low

There are 3 open security issues in buster.

3 issues skipped by the security teams:

CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Please fix them.

Created: 2019-10-21 Last update: 2020-01-02 22:07

9 ignored security issues in jessie low

There are 9 open security issues in jessie.

9 issues skipped by the security teams:

CVE-2014-9650: CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
CVE-2014-9649: Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2015-8786: The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
CVE-2015-0862: Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Please fix them.

Created: 2015-07-12 Last update: 2020-01-02 22:07

6 ignored security issues in stretch low

There are 6 open security issues in stretch.

6 issues skipped by the security teams:

CVE-2017-4966: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
CVE-2017-4967: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2017-4965: An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the RabbitMQ management UI are vulnerable to XSS attacks.
CVE-2019-11291: Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
CVE-2019-11281: Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information.
CVE-2019-11287: Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Please fix them.

Created: 2017-05-08 Last update: 2020-01-02 22:07

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-09-28] rabbitmq-server 3.7.18-1 MIGRATED to testing (Debian testing watch)
[2019-09-23] Accepted rabbitmq-server 3.7.18-1 (source) into unstable (Thomas Goirand)
[2019-06-18] Accepted rabbitmq-server 3.7.8-5 (source all) into unstable (Thomas Goirand)
[2018-11-05] rabbitmq-server 3.7.8-4 MIGRATED to testing (Debian testing watch)
[2018-11-04] rabbitmq-server REMOVED from testing (Debian testing watch)
[2018-10-30] Accepted rabbitmq-server 3.7.8-4 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-3 (source all) into unstable (Thomas Goirand)
[2018-10-29] Accepted rabbitmq-server 3.7.8-2 (source all) into unstable (Thomas Goirand)
[2018-10-25] Accepted rabbitmq-server 3.7.8-1 (source all) into unstable (Thomas Goirand)
[2017-10-25] Accepted rabbitmq-server 3.6.10-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Andreas Tille)
[2017-07-04] rabbitmq-server 3.6.10-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted rabbitmq-server 3.6.10-1 (source all) into unstable (Thomas Goirand)
[2017-01-15] Accepted rabbitmq-server 3.3.5-1.1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Thomas Goirand)
[2017-01-09] rabbitmq-server 3.6.6-1 MIGRATED to testing (Debian testing watch)
[2017-01-03] Accepted rabbitmq-server 3.6.6-1 (source) into unstable (Ondřej Kobližek) (signed by: Ondřej Nový)
[2016-11-09] rabbitmq-server 3.6.5-1 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted rabbitmq-server 3.6.5-1 (source all) into unstable (Thomas Goirand)
[2016-10-25] rabbitmq-server REMOVED from testing (Debian testing watch)
[2016-01-24] rabbitmq-server 3.5.7-1 MIGRATED to testing (Debian testing watch)
[2016-01-18] Accepted rabbitmq-server 3.5.7-1 (source all) into unstable (James Page)
[2015-11-16] rabbitmq-server 3.5.4-3.1 MIGRATED to testing (Britney)
[2015-11-10] Accepted rabbitmq-server 3.5.4-3.1 (source) into unstable (Antonio Terceiro)
[2015-10-12] rabbitmq-server 3.5.4-3 MIGRATED to testing (Britney)
[2015-10-06] Accepted rabbitmq-server 3.5.4-3 (source all) into unstable (Thomas Goirand)
[2015-10-05] Accepted rabbitmq-server 3.5.4-2 (source all) into unstable (Thomas Goirand)
[2015-08-10] rabbitmq-server 3.5.4-1 MIGRATED to testing (Britney)
[2015-08-04] Accepted rabbitmq-server 3.5.4-1 (source all) into unstable (James Page)
[2015-06-08] rabbitmq-server 3.5.1-2 MIGRATED to testing (Britney)
[2015-06-02] Accepted rabbitmq-server 3.5.1-2 (source all) into unstable (James Page)
[2015-05-19] rabbitmq-server 3.5.1-1 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 9
RC: 0
I&N: 9
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.8.2-0ubuntu1
20 bugs (1 patch)
patches for 3.8.2-0ubuntu1