Hi Thomas, On Sat, Jan 01, 2022 at 06:57:42PM +0100, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > Hi, > > I'd like to update rabbitmq-server to address: > https://bugs.debian.org/990524 > > That's CVE-2021-32718, CVE-2021-32719.
Can you please include the fix as well for CVE-2021-22116? > > [ Impact ] > XSS security bugs. > > [ Risks ] > The patch only impacts some plugins which aren't activated > by default, so most user aren't even impacted. However, the > patches are also super-small, so why not approved them? > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > Cheers, > > Thomas Goirand (zigo) > diff -Nru rabbitmq-server-3.8.9/debian/changelog > rabbitmq-server-3.8.9/debian/changelog > --- rabbitmq-server-3.8.9/debian/changelog 2021-04-10 22:59:57.000000000 > +0200 > +++ rabbitmq-server-3.8.9/debian/changelog 2022-01-01 18:46:04.000000000 > +0100 > @@ -1,3 +1,23 @@ > +rabbitmq-server (3.8.9-3+deb11u1) bullseye; urgency=medium > + > + * CVE-2021-32719: In rabbitmq-server prior to version 3.8.18, when a > + federation link was displayed in the RabbitMQ management UI via the > + `rabbitmq_federation_management` plugin, its consumer tag was rendered > + without proper <script> tag sanitization. This potentially allows > + for JavaScript code execution in the context of the page. The user must > + be signed in and have elevated permissions (manage federation upstreams > + and policies) for this to occur. Applied upstream patch: Escape the > + consumer-tag value in federation mgmt. > + * CVE-2021-32718: In rabbitmq-server prior to version 3.8.17, a new user > + being added via management UI could lead to the user's bane being > + rendered in a confirmation message without proper `<script>` tag > + sanitization, potentially allowing for JavaScript code execution in the > + context of the page. In order for this to occur, the user must be signed > + in and have elevated permissions (other user management). > + * Closes: #990524 > + > + -- Thomas Goirand <z...@debian.org> Sat, 01 Jan 2022 18:46:04 +0100 > + > rabbitmq-server (3.8.9-3) unstable; urgency=medium > > [ Adam Cecile ] > diff -Nru > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch > > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch > --- > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch > 2022-01-01 18:46:04.000000000 +0100 > @@ -0,0 +1,21 @@ > +Description: CVE-2021-32718: Escape username before displaying it > + All other values displayed in pop-ups are already escaped. > +Author: Michael Klishin <mich...@clojurewerkz.org> > +Date: Thu, 6 May 2021 06:57:43 +0300 > +Origin: upstream, > https://github.com/rabbitmq/rabbitmq-server/commit/5d15ffc5ebfd9818fae488fc05d1f120ab02703c.patch > +Bug-Debian: https://bugs.debian.org/990524 > +Last-Update: 2022-01-01 > + > +diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js > b/deps/rabbitmq_management/priv/www/js/dispatcher.js > +index d2842c2da8a..5f1b54dbac8 100644 > +--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js > ++++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js > +@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) { > + res = sync_put(this, '/users/:username'); > + if (res) { > + if (res.http_status === 204) { > +- username = res.req_params.username; > ++ username = fmt_escape_html(res.req_params.username); > + show_popup('warn', "Updated an existing user: '" + > username + "'"); > + } > + update(); > diff -Nru > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch > > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch > --- > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch > 2022-01-01 18:46:04.000000000 +0100 > @@ -0,0 +1,21 @@ > +Description: CVE-2021-32719 Escape the consumer-tag value in federation mgmt > + Patches persistent XSS. > +Author: Patrik Ragnarsson <pat...@starkast.net> > +Date: Sat, 19 Jun 2021 09:23:12 +0200 > +Origin: upstream, https://github.com/rabbitmq/rabbitmq-server/pull/3122 > +Bug-Debian: https://bugs.debian.org/990524 > +Last-Update: 2021-01-01 > + > +diff --git > a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs > > b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs > +index 5b3e14d0638..838eac1eb3b 100644 > +--- > a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs > ++++ > b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs > +@@ -45,7 +45,7 @@ > + <td class="r"><%= fmt_time(upstream.value['message-ttl'], 'ms') %></td> > + <td class="r"><%= fmt_string(upstream.value['ha-policy']) %></td> > + <td class="r"><%= fmt_string(upstream.value['queue']) %></td> > +- <td class="r"><%= upstream.value['consumer-tag'] %></td> > ++ <td class="r"><%= fmt_string(upstream.value['consumer-tag']) %></td> > + </tr> > + <% } %> > + </tbody> > diff -Nru rabbitmq-server-3.8.9/debian/patches/series > rabbitmq-server-3.8.9/debian/patches/series > --- rabbitmq-server-3.8.9/debian/patches/series 2021-04-10 > 22:59:57.000000000 +0200 > +++ rabbitmq-server-3.8.9/debian/patches/series 2022-01-01 > 18:46:04.000000000 +0100 > @@ -1,3 +1,4 @@ > lets-use-python3-not-python-binary.patch > rabbitmq-dist.mk.patch > Upstream_PR2965_fixing_rabbitmqctl_parsing > +CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch Isn't here adding the patch CVE-2021-32718_Escape_username_before_displaying_it.patch missing in the patches/series? Regards, Salvatore
