Source: rabbitmq-server Version: 3.10.8-2 Severity: important Tags: security upstream Forwarded: https://github.com/rabbitmq/rabbitmq-server/pull/9708 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rabbitmq-server. CVE-2023-46118[0]: | RabbitMQ is a multi-protocol messaging and streaming broker. HTTP | API did not enforce an HTTP request body limit, making it vulnerable | for denial of service (DoS) attacks with very large messages. An | authenticated user with sufficient credentials can publish a very | large messages over the HTTP API and cause target node to be | terminated by an "out-of-memory killer"-like mechanism. This | vulnerability has been patched in versions 3.11.24 and 3.12.7. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46118 https://www.cve.org/CVERecord?id=CVE-2023-46118 [1] https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg [2] https://github.com/rabbitmq/rabbitmq-server/pull/9708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
