Your message dated Sat, 02 Dec 2023 15:32:34 +0000
with message-id <[email protected]>
and subject line Bug#1056723: fixed in rabbitmq-server 3.10.8-1.1+deb12u1
has caused the Debian Bug report #1056723,
regarding rabbitmq-server: CVE-2023-46118
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056723
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 3.10.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rabbitmq/rabbitmq-server/pull/9708
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rabbitmq-server.
CVE-2023-46118[0]:
| RabbitMQ is a multi-protocol messaging and streaming broker. HTTP
| API did not enforce an HTTP request body limit, making it vulnerable
| for denial of service (DoS) attacks with very large messages. An
| authenticated user with sufficient credentials can publish a very
| large messages over the HTTP API and cause target node to be
| terminated by an "out-of-memory killer"-like mechanism. This
| vulnerability has been patched in versions 3.11.24 and 3.12.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46118
https://www.cve.org/CVERecord?id=CVE-2023-46118
[1]
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
[2] https://github.com/rabbitmq/rabbitmq-server/pull/9708
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 3.10.8-1.1+deb12u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Nov 2023 08:25:34 +0100
Source: rabbitmq-server
Architecture: source
Version: 3.10.8-1.1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1056723
Changes:
rabbitmq-server (3.10.8-1.1+deb12u1) bookworm-security; urgency=high
.
* CVE-2023-46118: Denial of Service by publishing large messages over the
HTTP API. Applied upstream patches that introduce a limit of 10MB:
- Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
- Introduce_HTTP_request_body_limit_for_definition_uploads.patch
(Closes: #1056723).
Checksums-Sha1:
928f60e760c56e43a260ba59183941d1a2196283 2735
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
6c499dc16f1691500fe551323e506668450a0de8 3586524
rabbitmq-server_3.10.8.orig.tar.xz
b043bc517c44bf60d48aed91b37d7097ec21cecd 26104
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
e8c7f956764c005b3d0bfabb125110a1243f49e2 8577
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
9970b73e2083332cc4dbb1ee50dbd2bb5c6a87540658794130311f8b5fb92c6c 2735
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
903b761ee541c3cf3374506c0d71cd80254392f58c55e033ac8ce3ebcf8d3b29 3586524
rabbitmq-server_3.10.8.orig.tar.xz
2c40a7236185c86906293b412e66940bbd2f84971c80914560d4463ab8c47f33 26104
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
ab17b52dbf6f5954510ed1c830c494653d4e454f57eae3ef10a5fced4dce974b 8577
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo
Files:
39008cd549675e49dff21867ffcfb756 2735 net optional
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
0bcb3b160fb4f3b469655a7c4ce82743 3586524 net optional
rabbitmq-server_3.10.8.orig.tar.xz
93778e239e8a122be053dae9393db777 26104 net optional
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
57f7f2c67ed7923de2ca5871444d0914 8577 net optional
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmVoOlAACgkQ1BatFaxr
Q/41TQ/+PrXDHKSmmzuoDM7KPP8b9iPc8uH4ZZISAYIlpifZC61d9qxv+l3xqoad
us9MpnRuFtrAozuZh6oEngz+sH1UBnUcfsQT5N0ba58/YsrLf++H66m0PapMJWky
0G6BHzROpZKsvAuYcO0171hzUT6EtwSh3I4FGTl7YS0Z1uEG7s2Y9si+dC9cv5cQ
OkwAwBxLj4tN7THPZtH903cXBjI8mTWL/NpXmEbczR3wdrOoqm8fxGevmgmyD+aT
Cy8dj4dY4Av4NVR/FzJerYiZvsRAlMkQyVB8JKoYlswusI+o4fBxktWBn+YIF0Ab
JgPrdmP5IZuByEGSe0NPjBfol0Ma5+x4ohfugsr3+g9bcgwdaDlILSw6EPpSWutG
ReJwk0nRpl1Zjvv11EKxC87FcDKB/nV5N6wCL6/8hhKUMy+10Wri3qNM19erOJKQ
yvDF9sXZncwaTLUfy8Mtk9JcxDWpzXhY66fnA0tEfcRitkoIk4tlI7wT+P/9gBXy
Iwf4Nf/0G8VFtiiBhJNuvEMb+IsOEPH/hdoSuW+w4gLD/aQqoYGLaDV8rn17lT3o
wlHdzPYW3wJkjYKJm1SAbuJlVWmrgyxuICYLzx+Ibh7CfCqHUrlyfA3oYP7Fos57
UvZTSiI/mqPdJ6FCNaoU+/ouj4xJlwVUyyU+Rvm5EQxWnDeQekc=
=vIeH
-----END PGP SIGNATURE-----
--- End Message ---
