[SECURITY] [DLA 2710-1] rabbitmq-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2710-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA July 19, 2021 https://wiki.debian.org/LTS - - Package: rabbitmq-server Version: 3.6.6-1+deb9u1 CVE ID : CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116 Several vulnerabilities were discovered in rabbitmq-server, a message-broker software. CVE-2017-4965 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2017-4966 RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack CVE-2017-4967 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2019-11281 The virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information CVE-2019-11287 The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. CVE-2021-22116 A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance. For Debian 9 stretch, these problems have been fixed in version 3.6.6-1+deb9u1. We recommend that you upgrade your rabbitmq-server packages. For the detailed security status of rabbitmq-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rabbitmq-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD1tJkACgkQhj1N8u2c KO8lIg//f/LcL1AyTtnwyXh5MMCs7OfZ2U4oychwStzEnZ5D7LAoblb9g97Inw15 KYRQOD/CU/TxokDgMP8x5TzJNyq4/exJi5/Ergyx1TinBNP/6QJB5QeTYp94OZrL l1nbI5xDDaNnyf1mnMJ04lk/sXAfMp19zeCIXy28SLSyVz0PivgOW+SARl5yEFpW U6QGy4wzkiDAVdqo8JPxF7H4wTCZEJxgQcBMrIUSTGxsHW9CZh6IiOEyz7DziH3Y YWYXFqZIkdJyQxWX6ukMysTLnb/fg6Fndt+cyXiHFvhjZH6IRu2LKXsVC6h3RJJh 8DTZgQS5Vy9g2wvuljiG5C8KQtijZ9vc1qMWELRnN7I1owcCRqUIUIxm9p/XfJLz 4p1ic9c8nMd55Gsi97SqEbSLKAR2Wkw2HePu8cmN48WCF2esB9xvyI2GSa7SHUov FIX+DwNV4gnuzE+BnQGvhpTpL1Cwpwwtmhvp9lJmf5b2z00ltlGfzPG/4jy6KLK0 ce+5yaGWsUAVP0r0UU8jfFfNfp/VqbcD1ijB3Dr2VEEkKSipXuKuv61ceA42qTgl X/cEOtZG8yW+jVU5ndFKnP/4AuQxqJWWPDeW2DzgeH4b6lzTjdZeh9g8Qu+kKju4 SkB0jkWEAm8Md3eYgrKB9cStN/uPZU7ni7Z/c0Xt1J/Jrv67GnM= =rAJ1 -END PGP SIGNATURE-
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, if you reclaim packages which were unclaimed after 2 weeks of inactivity, please update the notes *properly*. Updating the date of a note entry stating 'WIP' is not helpful for anyone wanting to contribute, especially if it's WIP for two months or similar. Also if it's WIP for weeks it might very well be sensible to spend 15min updating the notes and bill that work, so please do. (This is a general comment even though it was triggered by two actual commits. I have almost zero desire to discuss the specific cases here, I just wanted to make the general statement "please update the notes properly".) Also, if you're waiting for weeks for a reply from upstream, state so, and repeat yourself ("20210719 still waiting for reply from upstream") and better yet, ping them, after two weeks thats fine for security issues I'd say. "20210719 still waiting for reply from upstream, so pinged them again, <$MSGID>" Thanks. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ It's the end of the world as we know it - and I feel fine. signature.asc Description: PGP signature
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today several packages were unclaimed for LTS: -ffmpeg (Anton Gladky) -nettle (Emilio) -ruby-actionpack-page-caching (Markus Koschany) -ruby-kaminari (Markus Koschany) -runc (Abhijith PA) -shiro (Roberto C. Sánchez) and two for ELTS: -nettle (Emilio) -openjdk-7 (Emilio) Then Markus probably claimed too many packages and the same as last week, so today two were unclaimed (see above): - ceph - condor - ruby-actionpack-page-caching - ruby-kaminari All DLAs which have been reserved have been published, yay. Have a great week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Accepted thunderbird 1:78.12.0-1~deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 18 Jul 2021 11:37:55 +0200 Source: thunderbird Architecture: source Version: 1:78.12.0-1~deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Carsten Schoenert Changed-By: Emilio Pozuelo Monfort Changes: thunderbird (1:78.12.0-1~deb9u1) stretch-security; urgency=medium . * Backport to stretch. Checksums-Sha1: 2b4bec21ade210491989fc5e33fd59e5db5e32e3 19430 thunderbird_78.12.0-1~deb9u1.dsc 94fcd8fe6146c408693acf6017747cd05e4d9930 714820 thunderbird_78.12.0-1~deb9u1.debian.tar.xz 343b6c473ca5272a55de778b50dc984c2cdc0a6b 7704 thunderbird_78.12.0-1~deb9u1_source.buildinfo Checksums-Sha256: 498bc54e0ea3d9ccb71765b183bb80effd85f19b57f6b594ea80e3b4a30a38c2 19430 thunderbird_78.12.0-1~deb9u1.dsc 22bad258930c0c0fc906fa0bac7bef1a7967107ce660bb1e0d9e493471dd07d7 714820 thunderbird_78.12.0-1~deb9u1.debian.tar.xz 9d1011b8d0be836584da6affe039d8d08b192813f50f0b74becdda72dbecbd68 7704 thunderbird_78.12.0-1~deb9u1_source.buildinfo Files: d453aebb91ac1178b7603f4d20951e04 19430 mail optional thunderbird_78.12.0-1~deb9u1.dsc c1e3bb2e8091c4bfe05e0999dbad88b3 714820 mail optional thunderbird_78.12.0-1~deb9u1.debian.tar.xz f1137a3c10d70745118e9dce4e58c29c 7704 mail optional thunderbird_78.12.0-1~deb9u1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmD1QY4ACgkQnUbEiOQ2 gwJ3CQ/+N30OtZxgKtrve3sUAIJxiPu27zi3UY7KLyzy3dSvhMBFWHmzKMKRAWU3 WPJMZ9BUSsvtFCZxLhoJ+I0auQ0e/jvsFMcXs2dxA+k+wlbdnIahC3tYu1v3HE+j 7xRiWmeQ7haJ3tJjr/rfIT89QwqcwbiZRWyq+LKskxXWo9DilcaHW20FBwMRtebc uJYo1VLqxl/d8IUX6gxQ7IiW3fi/vThi6KvA9kKyyAa7+Uhuora1KqMX8iXrQXkL kSzFAtRVRbIi3Uag4p5IFMMNUM/EawVGCWrhueI0BEcqEoaEg4duRHn8SJ8iMF9B a5bQxZXNnc6yDEUk7ZPsR1chRIqfXGESrWOOvwsgQ0D/GgQaxqmJ5DJYJyekPfLv KAfhx5/LZL7BdTSS82gkK8/5AtatWSNYA1w6wE+rvFV0qsI71UcTKMpdcYeTcGRr GXdTcM00xR3E8pegsy8NImHHLwYE/2EjZF5gs4Qj/uPBMfRv2+WmSP34n7N/1gTv np463CRUu/YbLajYKJz8i3zsYWgEL4GhCvdFmc0oD45qQXwoHGKrQBcnW7s7rEdj 2mTOtGr0bVpiaS+9QDg4KUoCJJXjjk0iTblr8DbHwxzmNBnCxm9OBPD0sIUNpPFc YfXXAt5ItxpEohqu7cBMArhydreWCrHheSxgshQrs8SMwVtQ0sY= =fDXB -END PGP SIGNATURE-
Accepted rabbitmq-server 3.6.6-1+deb9u1 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 10 Jul 2021 13:34:54 +0530 Source: rabbitmq-server Binary: rabbitmq-server Architecture: source all Version: 3.6.6-1+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: PKG OpenStack Changed-By: Abhijith PA Description: rabbitmq-server - AMQP server written in Erlang Changes: rabbitmq-server (3.6.6-1+deb9u1) stretch-security; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116 Checksums-Sha1: e19ba2fa0f35c2188a8c5a803c5f6181067156b7 2256 rabbitmq-server_3.6.6-1+deb9u1.dsc fc6dbb566981e7810c14fe04521bed2acc3f85ca 2471724 rabbitmq-server_3.6.6.orig.tar.xz e480d638ba5e9e216e54bb6998129650759582e2 21736 rabbitmq-server_3.6.6-1+deb9u1.debian.tar.xz 05043b5014a9baabde5a6bbba3d7fd8bb733c3dd 5236130 rabbitmq-server_3.6.6-1+deb9u1_all.deb 9045e4bdfcbc84b7f3d30caa4a0bcf4d255a49b1 9292 rabbitmq-server_3.6.6-1+deb9u1_amd64.buildinfo Checksums-Sha256: 4808693ec98b68ce05fe68bcd25bfca9ac0c7f084851d373ca7484694e412c47 2256 rabbitmq-server_3.6.6-1+deb9u1.dsc 395689bcf57fd48aed452fcd43ff9a992de40067d3ea5c44e14680d69db7b78e 2471724 rabbitmq-server_3.6.6.orig.tar.xz cd2b5c405f9d8e67f5e11b5331c403f29df2ca0cc3d2aa2e507c5b254fb5d3bb 21736 rabbitmq-server_3.6.6-1+deb9u1.debian.tar.xz a4ebd20a7452f20a1929a5880987f643d05429655584633620664c802173f2ae 5236130 rabbitmq-server_3.6.6-1+deb9u1_all.deb 600189511e8e358ec118b2fcb48fbbd0c0bfbca26f2df03288fcfee18ca7bbb3 9292 rabbitmq-server_3.6.6-1+deb9u1_amd64.buildinfo Files: a5b3940c5b9f8cb713d8d0dfdfe174a2 2256 net extra rabbitmq-server_3.6.6-1+deb9u1.dsc 138e334d3b5565aa4bce2a1e5b3a913c 2471724 net extra rabbitmq-server_3.6.6.orig.tar.xz 62da1e995d5acdcb44974f62dca4e896 21736 net extra rabbitmq-server_3.6.6-1+deb9u1.debian.tar.xz 4957e185925930df4ccfe09dcd1827dd 5236130 net extra rabbitmq-server_3.6.6-1+deb9u1_all.deb 17a4b206a537430cb6908f8a3fbe131e 9292 net extra rabbitmq-server_3.6.6-1+deb9u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD1K8EUHGFiaGlqaXRo QGRlYmlhbi5vcmcACgkQhj1N8u2cKO9oAw/+KzaxzXWqyG5pbYvihx0LZZkqNnvX NYE69eMYDtp5GVZfq7VHsitKQCaBmLHUFB+KQPDv3AbxSLfzf4/XgJfHfmjvNzwt R+dVjaBH7Z8Kmr0L1M1qRFgMXdQzO42+SMMQZARrMEhPa4hCKAUqrC5SAPQWU2RH jm1lz7zNPlvE2lA8UKWRo77Uqk93/+RTKDS+67kY2OtlWoZDhF/113ymYmWP6iie A8SXyxACc+QBF4s6yc9pTO/e/CH6qcmGLmHQDnQLtjGZEDhR2pt/0mjhqiLCOOGI L5gdhwfuE72HeeypqYak9PS5gZZN6LrY7T3qSrzAMPJMjuMB2J/hVX0ALFxzBXuG 6VYapbGYl/c9mx2UQYhG6cdP46dAyGF3UFofZuq/DpGD791ExfAWMhGzwZDS/CC/ n41Y78u5grA80+hwCpPEaz+6aGRFFVCI8TlSlxhrWejgoRiSf/lsjSCuJt9dx1Vz egqKGD6pVIzmOx9PvXVmVe96qfOED+YPkmPxMgsefv+M9HiBHKVUAjLJ9c0xV94h NMCtX/7ww4oMzx6qtisAntPhHnXBshd8SVIOxQx4kJdA4x8j0A0i8Zizcr3Uua9/ M9dJDYXQ6CKrrHWEL1sZJxwnmRZ5ONIlpu81fZrpOJ43un9mMYOLAcmeOSgm6c2D B8zaBoMBFRxdzXc= =gWIx -END PGP SIGNATURE-