Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
rabbitmq-server maintainers, are there any other RC bugs that you're planning to file on the package? No other RC bugs. I submitted https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773259, which I hope has an appropriate severity of important. I've asked a couple developers their opinion on whether rabbitmq-server attempting to use SSLv3 [1] would be a bug. Rabbit's method to verify SSLv3 is disabled [2] uses s_client with the -ssl3 option which no longer works [3]. I believe this is a non-issue since SSLv3 is disabled in Jessie [4], but I would appreciate a confirmation. I apologize for the late bugs and 3.4.1-1 debacle, I had some terrible misunderstandings. -Blair 1. https://groups.google.com/forum/#!topic/rabbitmq-users/jk45xOPqeGY 2. https://gist.github.com/michaelklishin/3f47bae850bdd9f1a79a 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766297 4. https://lists.debian.org/debian-release/2014/11/msg00690.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773259: XSS and response-splitting bugs in management plugin
Package: rabbitmq-server Version: 3.3.5-1 Severity: important RabbitMQ 3.4.1 fixes a couple of bugs in the management plugin that may have security implications. These can probably be considered less severe than the bug described here: https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM (which was fixed in 3.4.0). From the release notes: 26437 prevent /api/* from returning text/html error messages which could act as an XSS vector (since 2.1.0) 26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0) Bug 26437 allowed an attacker to create a URL to /api/... which would provoke an internal server error, resulting in the server returning an html page with text from the URL embedded and not escaped. This was fixed by ensuring all URLs below /api/ only ever return responses with a content type of application/json, even in the case of an internal server error. Bug 26433 allowed an attacker to specify a URL to /api/definitions which would cause an arbitrary additional header to be returned. This was fixed by stripping out CR/LF from the download query string parameter. Above text from: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773134: rabbitmq_management incorrectly trusts 'X-Forwarded-For' header
Package: rabbitmq-server Version: 3.3.5-1 Severity: serious RabbitMQ 3.3.0 introduced a mechanism (the 'loopback_users' configuration item) allowing access for some users to be restricted to only connect via localhost. By default the guest user is restricted in this way. Unfortunately, the HTTP framework used by the management plugin trusts the easily-forged 'X-Forwarded-For' header when determining the remote address. It is therefore possible to subvert this access control mechanism for the HTTP API. Attackers would still need to know or guess the username and password. Above text was taken from: https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#753475: (no subject)
Hello, Thanks for logging this bug. This bug matches and existing bug in RabbitMQ's internal bugtracker. Best Regards, Blair -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
