Public bug reported: Upstream: tbd Debian: 3.10.8-3 3.12.1-1 Ubuntu: 3.12.1-1ubuntu1
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### rabbitmq-server (3.10.8-3) unstable; urgency=high * CVE-2023-46118: Denial of Service by publishing large messages over the HTTP API. Applied upstream patches that introduce a limit of 10MB: - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch - Introduce_HTTP_request_body_limit_for_definition_uploads.patch (Closes: #1056723). -- Thomas Goirand <[email protected]> Mon, 27 Nov 2023 08:31:07 +0100 rabbitmq-server (3.10.8-2) unstable; urgency=medium * Cleans better (Closes: #1046813). -- Thomas Goirand <[email protected]> Thu, 24 Aug 2023 11:50:05 +0200 rabbitmq-server (3.10.8-1.1) unstable; urgency=medium * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. -- Michael Biebl <[email protected]> Sat, 15 Oct 2022 12:42:19 +0200 rabbitmq-server (3.10.8-1) unstable; urgency=medium * New upstream release: - Fix FTBFS with Erlang 25. * lets-use-python3-not-python-binary.patch: removed 2 hunks commited upstream. * Add OOMScoreAdjust=-500 to the .service file. -- Thomas Goirand <[email protected]> Wed, 28 Sep 2022 15:40:58 +0200 rabbitmq-server (3.9.13-1) unstable; urgency=medium * New upstream release. * Do not install rabbitmq-server-ha.ocf: it's removed upstream. -- Thomas Goirand <[email protected]> Wed, 23 Feb 2022 09:12:34 +0100 rabbitmq-server (3.9.8-6) unstable; urgency=medium * Use grep -q when checking for Erglang cookie. -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 23:32:11 +0100 rabbitmq-server (3.9.8-5) unstable; urgency=medium * Detect if /var/lib/rabbitmq/.erlang.cookie is an Erlang generated cookie, regenerate and restart rabbitmq it in such case. -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 14:14:56 +0100 rabbitmq-server (3.9.8-4) unstable; urgency=medium * Use umask when creating the .erlang.cookie to avoid race condition where the file could be read. -- Thomas Goirand <[email protected]> Mon, 24 Jan 2022 13:24:50 +0100 rabbitmq-server (3.9.8-3) unstable; urgency=medium * Use OpenSSL to generate the default .erlang.cookie. * Set rabbitmq-server.service to depend on epmd.socket and not [email protected]. * Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as it's been pointed out that upstream doc isn't good enough to explain what is necessar for it (Closes: #924768). -- Thomas Goirand <[email protected]> Fri, 14 Jan 2022 10:05:34 +0100 rabbitmq-server (3.9.8-2) unstable; urgency=medium * Finished removing the $LANG wrapper (Closes: #947872). * Do not mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf anymore (Closes: #943699). -- Thomas Goirand <[email protected]> Tue, 28 Dec 2021 19:08:01 +0100 rabbitmq-server (3.9.8-1) unstable; urgency=medium * New upstream release. * d/control: Bump Standards-Version to 4.6.0, no changes. -- James Page <[email protected]> Tue, 02 Nov 2021 16:52:40 +0000 rabbitmq-server (3.9.4-1.2) unstable; urgency=medium * Non-maintainer upload. * Add a superficial autopkgtest. It just tests that the service is active after installation. This is not great test coverage, but it will at least stop new erlang versions from migrating before rabbitmq-server is fixed to work with it. * debian/changelog: add missing Closes: tag in the previous upload. I have just closed the actual bug via a separate control email. -- Antonio Terceiro <[email protected]> Sat, 25 Sep 2021 06:38:37 -0300 rabbitmq-server (3.9.4-1.1) unstable; urgency=medium * Non-maintainer upload. ### Old Ubuntu Delta ### rabbitmq-server (3.12.1-1ubuntu1) noble; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2023-46118-*.patch: Introduce HTTP request body limit for definition uploads and Reduce default HTTP API request body size limit to 10 MiB in deps/rabbitmq_management/Makefile, include/rabbit_mgmt.hrl, priv/schema/rabbitmq_management.schema, src/rabbit_mgmt_util.erl, src/rabbit_mgmt_wm_definitions.erl. - CVE-2023-46118 -- Leonidas Da Silva Barbosa <[email protected]> Wed, 22 Nov 2023 16:07:37 -0300 ** Affects: rabbitmq-server (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: rabbitmq-server (Ubuntu) Milestone: None => ubuntu-24.07 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064451 Title: Merge rabbitmq-server from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2064451/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
