Source: rabbitmq-server
Version: 3.10.8-3
Severity: normal
Dear Maintainer,
The postinst script will overwrite the `/var/lib/rabbitmq/.erlang.cookie`
file if it contains exactly 20 uppercase characters.
```
if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie ; then
OLD_UMASK=$(umask)
umask 077; openssl rand -base64 -out /var/lib/rabbitmq/.erlang.cookie 42
umask ${OLD_UMASK}
if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; then
if systemctl is-active --quiet rabbitmq-server.service ; then
systemctl restart rabbitmq-server.service
fi
fi
fi
```
The rabbitmq-server service failed to start on one of our nodes in our
cluster after the package was upgraded as the nodes in our cluster
happen to share a .erlang.cookie that match this condition.
This is a dangerous approach which the package should not enforce. If
20 uppercase characters is seen as insecure then the package should
instead inform the user of it and not simply overwriting the file.
This is bug report was requested by the Ubuntu package maintainers when
I filed a bug report on their tracker [1] as they use this source
package as their upstream.
[1] https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2044248
