Source: rabbitmq-server Version: 3.6.5-1 Severity: grave Tags: upstream security Justification: user security hole
Hi, the following vulnerability was published for rabbitmq-server. CVE-2016-9877[0]: | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) | connection authentication with a username/password pair succeeds if an | existing username is provided but the password is omitted from the | connection request. Connections that use TLS with a client-provided | certificate are not affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877 [1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98 [2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96 Please adjust the affected versions in the BTS as needed. I was only able to check the vulnerability sourcewise for 3.6.5 in unstable, older version have not been checked so far. Regards, Salvatore