Bug#773259: marked as done (XSS and response-splitting bugs in management plugin)

Tue, 27 Jan 2015 06:30:47 -0800 

Your message dated Tue, 27 Jan 2015 15:27:35 +0100
with message-id <[email protected]>
and subject line Patch already applied
has caused the Debian Bug report #773259,
regarding XSS and response-splitting bugs in management plugin
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
773259: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773259
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: rabbitmq-server
Version: 3.3.5-1
Severity: important


RabbitMQ 3.4.1 fixes a couple of bugs in the management plugin that may
have security implications. These can probably be considered less severe
than the bug described here:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
(which was fixed in 3.4.0).

 From the release notes:

26437 prevent /api/* from returning text/html error messages which could
act as an XSS vector (since 2.1.0)

26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0)

Bug 26437 allowed an attacker to create a URL to "/api/..." which would
provoke an internal server error, resulting in the server returning an
html page with text from the URL embedded and not escaped. This was
fixed by ensuring all URLs below /api/ only ever return responses with a
content type of application/json, even in the case of an internal server
error.

Bug 26433 allowed an attacker to specify a URL to /api/definitions which
would cause an arbitrary additional header to be returned. This was
fixed by stripping out CR/LF from the "download" query string parameter.

Above text from:
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs

--- End Message ---
--- Begin Message --- 
Hi,

I just tried applying
https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad.patch,
and it seems that it was already applied to the current rabbitmq-server
in Sid, so I'm closing this bug.

Thomas Goirand (zigo)

--- End Message ---

Reply via email to