Hi Justin, Always good to see another Australian using Koha!
I think you're right. I don't think this is relevant for RabbitMQ. That said, it looks like Ubuntu pushed out a security release for RabbitMQ on 27 March 2025 for a different CVE. If you're using Debian/Ubuntu and have unattended upgrades on or frequently update your server, then you'll generally be fine. David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 -----Original Message----- Message: 1 Date: Mon, 28 Apr 2025 11:11:30 +1000 From: Justin Dowswell <[email protected]> To: [email protected] Subject: [Koha] Erlang/OTP SSH (CVE-2025-32433) - is rabbitmq-server affected? Message-ID: <CAGzh+UNnq-_Bs3r=5F=HjbcjtATTY2=+rcfywmxu9zhau-6...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Hey everyone, Been flagged by my VPS provider that our Koha instance may be affected by this vulnerability. It seems rabbitmq-server has some OTP dependencies, though not the erlang-ssh package. Here is the official advisory: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 On my koha instance these erlang packages are installed: erlang-asn1 erlang-base erlang-crypto erlang-eldap erlang-ftp erlang-inets erlang-mnesia erlang-os-mon erlang-parsetools erlang-public-key erlang-runtime-tools erlang-snmp erlang-ssl erlang-syntax-tools erlang-tftp erlang-tools erlang-xmerl So to me it looks like this flag is a false positive, but thought best to reach out here. Thanks in advance, Justin Dowswell (he/him) Technology Coordinator Tenants' Union of NSW 02 8117 3721 _______________________________________________ Koha mailing list http://koha-community.org [email protected] Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
