Source: rabbitmq-server Source-Version: 3.9.4-1 On Thu, Jul 01, 2021 at 01:22:12PM +0200, Moritz Mühlenhoff wrote: > Source: rabbitmq-server > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for rabbitmq-server. > > CVE-2021-32719[0]: > | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server > | prior to version 3.8.18, when a federation link was displayed in the > | RabbitMQ management UI via the `rabbitmq_federation_management` > | plugin, its consumer tag was rendered without proper <script> > | tag sanitization. This potentially allows for JavaScript code > | execution in the context of the page. The user must be signed in and > | have elevated permissions (manage federation upstreams and policies) > | for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As > | a workaround, disable the `rabbitmq_federation_management` plugin and > | use [CLI tools](https://www.rabbitmq.com/cli.html) instead. > > https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x > https://github.com/rabbitmq/rabbitmq-server/pull/3122 > > CVE-2021-32718[1]: > | RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server > | prior to version 3.8.17, a new user being added via management UI > | could lead to the user's bane being rendered in a confirmation message > | without proper `<script>` tag sanitization, potentially allowing > | for JavaScript code execution in the context of the page. In order for > | this to occur, the user must be signed in and have elevated > | permissions (other user management). The vulnerability is patched in > | RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin > | and use CLI tools for management operations and Prometheus and Grafana > | for metrics and monitoring. > > https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772 > https://github.com/rabbitmq/rabbitmq-server/pull/3028 > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-32719 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32719 > [1] https://security-tracker.debian.org/tracker/CVE-2021-32718 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32718 > > Please adjust the affected versions in the BTS as needed.
Those were fixed for unstable with the 3.9.4-1 upload. Regards, Salvatore