Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rabbitmq-server for openSUSE:Factory
checked in at 2025-06-18 15:58:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rabbitmq-server (Old)
and /work/SRC/openSUSE:Factory/.rabbitmq-server.new.19631 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rabbitmq-server"
Wed Jun 18 15:58:28 2025 rev:95 rq:1286574 version:3.13.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/rabbitmq-server/rabbitmq-server.changes
2025-04-24 17:28:00.535617275 +0200
+++
/work/SRC/openSUSE:Factory/.rabbitmq-server.new.19631/rabbitmq-server.changes
2025-06-18 16:03:45.583062772 +0200
@@ -1,0 +2,7 @@
+Wed Apr 30 07:31:55 UTC 2025 - Simon Lees <[email protected]>
+
+- Correctly escape hostname that could lead to xss attack
+ (bsc#1240071, CVE-2025-30219)
+ * fix-CVE-2025-30219.patch
+
+-------------------------------------------------------------------
New:
----
fix-CVE-2025-30219.patch
----------(New B)----------
New: (bsc#1240071, CVE-2025-30219)
* fix-CVE-2025-30219.patch
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rabbitmq-server.spec ++++++
--- /var/tmp/diff_new_pack.q2qt5e/_old 2025-06-18 16:03:46.475099696 +0200
+++ /var/tmp/diff_new_pack.q2qt5e/_new 2025-06-18 16:03:46.479099862 +0200
@@ -54,6 +54,7 @@
Source7:
https://raw.githubusercontent.com/rabbitmq/rabbitmq-packaging/v%{version}/RPMS/Fedora/rabbitmq-server.tmpfiles
Source8: README.SUSE
Patch0: rabbitmq-server-allow-elixir-1.18.patch
+Patch1: fix-CVE-2025-30219.patch
BuildRequires: elixir
# https://www.rabbitmq.com/which-erlang.html
BuildRequires: erlang >= 25.0
++++++ fix-CVE-2025-30219.patch ++++++
>From b0cdbf3d25c486934d1673044809a6d0bb5e1503 Mon Sep 17 00:00:00 2001
From: Michael Klishin <[email protected]>
Date: Fri, 25 Oct 2024 22:14:41 -0400
Subject: [PATCH] Use fmt_string in this error message
(cherry picked from commit 8ad8d3197ec0a233d1427479f9e88879cfda5ea4)
---
deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
index fdbbe1b8e025..6276f10d8771 100644
--- a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
+++ b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
@@ -27,7 +27,7 @@
if (vhosts[i].cluster_state[vhost_status_node] != 'running') {
%>
<p class="warning">
- Virtual host <b><%= vhosts[i].name %></b> experienced an error on node
<b><%= vhost_status_node %></b> and may be inaccessible
+ Virtual host <b><%= fmt_string(vhosts[i].name) %></b> experienced an error
on node <b><%= fmt_string(vhost_status_node) %></b> and may be inaccessible
</p>
<% }}} %>
</div>
