Source: rabbitmq-server Version: 3.10.8-3 Severity: normal Dear Maintainer,
The postinst script will overwrite the `/var/lib/rabbitmq/.erlang.cookie` file if it contains exactly 20 uppercase characters. ``` if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie ; then OLD_UMASK=$(umask) umask 077; openssl rand -base64 -out /var/lib/rabbitmq/.erlang.cookie 42 umask ${OLD_UMASK} if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; then if systemctl is-active --quiet rabbitmq-server.service ; then systemctl restart rabbitmq-server.service fi fi fi ``` The rabbitmq-server service failed to start on one of our nodes in our cluster after the package was upgraded as the nodes in our cluster happen to share a .erlang.cookie that match this condition. This is a dangerous approach which the package should not enforce. If 20 uppercase characters is seen as insecure then the package should instead inform the user of it and not simply overwriting the file. This is bug report was requested by the Ubuntu package maintainers when I filed a bug report on their tracker [1] as they use this source package as their upstream. [1] https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2044248