Hi Thomas,

On Sat, Jan 01, 2022 at 06:57:42PM +0100, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian....@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> Hi,
> 
> I'd like to update rabbitmq-server to address:
> https://bugs.debian.org/990524
> 
> That's CVE-2021-32718, CVE-2021-32719.

Can you please include the fix as well for CVE-2021-22116?

> 
> [ Impact ]
> XSS security bugs.
> 
> [ Risks ]
> The patch only impacts some plugins which aren't activated
> by default, so most user aren't even impacted. However, the
> patches are also super-small, so why not approved them?
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> Cheers,
> 
> Thomas Goirand (zigo)

> diff -Nru rabbitmq-server-3.8.9/debian/changelog 
> rabbitmq-server-3.8.9/debian/changelog
> --- rabbitmq-server-3.8.9/debian/changelog    2021-04-10 22:59:57.000000000 
> +0200
> +++ rabbitmq-server-3.8.9/debian/changelog    2022-01-01 18:46:04.000000000 
> +0100
> @@ -1,3 +1,23 @@
> +rabbitmq-server (3.8.9-3+deb11u1) bullseye; urgency=medium
> +
> +  * CVE-2021-32719: In rabbitmq-server prior to version 3.8.18, when a
> +    federation link was displayed in the RabbitMQ management UI via the
> +    `rabbitmq_federation_management` plugin, its consumer tag was rendered
> +    without proper <script> tag sanitization. This potentially allows
> +    for JavaScript code execution in the context of the page. The user must
> +    be signed in and have elevated permissions (manage federation upstreams
> +    and policies) for this to occur. Applied upstream patch: Escape the
> +    consumer-tag value in federation mgmt.
> +  * CVE-2021-32718: In rabbitmq-server prior to version 3.8.17, a new user
> +    being added via management UI could lead to the user's bane being
> +    rendered in a confirmation message without proper `<script>` tag
> +    sanitization, potentially allowing for JavaScript code execution in the
> +    context of the page. In order for this to occur, the user must be signed
> +    in and have elevated permissions (other user management).
> +  * Closes: #990524
> +
> + -- Thomas Goirand <z...@debian.org>  Sat, 01 Jan 2022 18:46:04 +0100
> +
>  rabbitmq-server (3.8.9-3) unstable; urgency=medium
>  
>    [ Adam Cecile ]
> diff -Nru 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
>  
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
> --- 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
>     1970-01-01 01:00:00.000000000 +0100
> +++ 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
>     2022-01-01 18:46:04.000000000 +0100
> @@ -0,0 +1,21 @@
> +Description: CVE-2021-32718: Escape username before displaying it
> + All other values displayed in pop-ups are already escaped.
> +Author: Michael Klishin <mich...@clojurewerkz.org>
> +Date: Thu, 6 May 2021 06:57:43 +0300
> +Origin: upstream, 
> https://github.com/rabbitmq/rabbitmq-server/commit/5d15ffc5ebfd9818fae488fc05d1f120ab02703c.patch
> +Bug-Debian: https://bugs.debian.org/990524
> +Last-Update: 2022-01-01
> +
> +diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js 
> b/deps/rabbitmq_management/priv/www/js/dispatcher.js
> +index d2842c2da8a..5f1b54dbac8 100644
> +--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js
> ++++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js
> +@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
> +             res = sync_put(this, '/users/:username');
> +             if (res) {
> +                 if (res.http_status === 204) {
> +-                    username = res.req_params.username;
> ++                    username = fmt_escape_html(res.req_params.username);
> +                     show_popup('warn', "Updated an existing user: '" + 
> username + "'");
> +                 }
> +                 update();
> diff -Nru 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
>  
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
> --- 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
>         1970-01-01 01:00:00.000000000 +0100
> +++ 
> rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
>         2022-01-01 18:46:04.000000000 +0100
> @@ -0,0 +1,21 @@
> +Description: CVE-2021-32719 Escape the consumer-tag value in federation mgmt
> + Patches persistent XSS.
> +Author: Patrik Ragnarsson <pat...@starkast.net>
> +Date: Sat, 19 Jun 2021 09:23:12 +0200
> +Origin: upstream, https://github.com/rabbitmq/rabbitmq-server/pull/3122
> +Bug-Debian: https://bugs.debian.org/990524
> +Last-Update: 2021-01-01
> +
> +diff --git 
> a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
>  
> b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
> +index 5b3e14d0638..838eac1eb3b 100644
> +--- 
> a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
> ++++ 
> b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
> +@@ -45,7 +45,7 @@
> +      <td class="r"><%= fmt_time(upstream.value['message-ttl'], 'ms') %></td>
> +      <td class="r"><%= fmt_string(upstream.value['ha-policy']) %></td>
> +      <td class="r"><%= fmt_string(upstream.value['queue']) %></td>
> +-     <td class="r"><%= upstream.value['consumer-tag'] %></td>
> ++     <td class="r"><%= fmt_string(upstream.value['consumer-tag']) %></td>
> +    </tr>
> + <% } %>
> +  </tbody>
> diff -Nru rabbitmq-server-3.8.9/debian/patches/series 
> rabbitmq-server-3.8.9/debian/patches/series
> --- rabbitmq-server-3.8.9/debian/patches/series       2021-04-10 
> 22:59:57.000000000 +0200
> +++ rabbitmq-server-3.8.9/debian/patches/series       2022-01-01 
> 18:46:04.000000000 +0100
> @@ -1,3 +1,4 @@
>  lets-use-python3-not-python-binary.patch
>  rabbitmq-dist.mk.patch
>  Upstream_PR2965_fixing_rabbitmqctl_parsing
> +CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch

Isn't here adding the patch
CVE-2021-32718_Escape_username_before_displaying_it.patch missing in
the patches/series?

Regards,
Salvatore

Reply via email to