On 24/10/13 15:34, Thomas Goirand wrote: > I reported this to the maintainer, and to the security team a *very* > long time ago, though it seems to be that nothing has been done to > address this issue.
Your suggestions have not been ignored, and we take feedback on security issues very seriously. Please bear in mind that v3.2.0 is the first feature release since June 2013 when the discussion you refer to took place. Entry 24094 from the release notes is the first step towards a solution: http://www.rabbitmq.com/release-notes/README-3.2.0.txt This will allow the broker to report authentication failures explicitly. This is a feature that AMQP does not offer, so the protocol had to be extended in a backwards-compatible way. Only now that the broker can reliably report authentication failures do we plan to execute the next step, which is to remove the ability to log in with a default account on a public interface in the default configuration. (BTW this has nothing to do with IPv6 as suggested in the bug title.) I'm sorry you feel disappointed that not enough progress has been made. We are attempting to introduce this change to the default configuration in a way that will cause as little disruption as possible. Since the incidence of authentication failures is expected to rise dramatically it was deemed necessary to improve their reporting before proceeding. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
