** Description changed: + NOTE: Due to LP: #2074309 it is unclear if newer upstream releases + can/should be merged - resolve that bug before merging anything beyond + debian revision updates or minor bugfixes. + Upstream: tbd Debian: 3.10.8-3 3.12.1-1.1 Ubuntu: 3.12.1-1ubuntu2 - Debian new has 3.12.1-1.1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Jammy Release Notes: https://discourse.ubuntu.com/c/release/38 - ### New Debian Changes ### rabbitmq-server (3.10.8-3) unstable; urgency=high - * CVE-2023-46118: Denial of Service by publishing large messages over the - HTTP API. Applied upstream patches that introduce a limit of 10MB: - - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch - - Introduce_HTTP_request_body_limit_for_definition_uploads.patch - (Closes: #1056723). + * CVE-2023-46118: Denial of Service by publishing large messages over the + HTTP API. Applied upstream patches that introduce a limit of 10MB: + - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch + - Introduce_HTTP_request_body_limit_for_definition_uploads.patch + (Closes: #1056723). - -- Thomas Goirand <[email protected]> Mon, 27 Nov 2023 08:31:07 +0100 + -- Thomas Goirand <[email protected]> Mon, 27 Nov 2023 08:31:07 +0100 rabbitmq-server (3.10.8-2) unstable; urgency=medium - * Cleans better (Closes: #1046813). + * Cleans better (Closes: #1046813). - -- Thomas Goirand <[email protected]> Thu, 24 Aug 2023 11:50:05 +0200 + -- Thomas Goirand <[email protected]> Thu, 24 Aug 2023 11:50:05 +0200 rabbitmq-server (3.10.8-1.1) unstable; urgency=medium - * Non-maintainer upload. - * No source change upload to rebuild with debhelper 13.10. + * Non-maintainer upload. + * No source change upload to rebuild with debhelper 13.10. - -- Michael Biebl <[email protected]> Sat, 15 Oct 2022 12:42:19 +0200 + -- Michael Biebl <[email protected]> Sat, 15 Oct 2022 12:42:19 +0200 rabbitmq-server (3.10.8-1) unstable; urgency=medium - * New upstream release: - - Fix FTBFS with Erlang 25. - * lets-use-python3-not-python-binary.patch: removed 2 hunks commited - upstream. - * Add OOMScoreAdjust=-500 to the .service file. + * New upstream release: + - Fix FTBFS with Erlang 25. + * lets-use-python3-not-python-binary.patch: removed 2 hunks commited + upstream. + * Add OOMScoreAdjust=-500 to the .service file. - -- Thomas Goirand <[email protected]> Wed, 28 Sep 2022 15:40:58 +0200 + -- Thomas Goirand <[email protected]> Wed, 28 Sep 2022 15:40:58 +0200 rabbitmq-server (3.9.13-1) unstable; urgency=medium - * New upstream release. - * Do not install rabbitmq-server-ha.ocf: it's removed upstream. + * New upstream release. + * Do not install rabbitmq-server-ha.ocf: it's removed upstream. - -- Thomas Goirand <[email protected]> Wed, 23 Feb 2022 09:12:34 +0100 + -- Thomas Goirand <[email protected]> Wed, 23 Feb 2022 09:12:34 +0100 rabbitmq-server (3.9.8-6) unstable; urgency=medium - * Use grep -q when checking for Erglang cookie. + * Use grep -q when checking for Erglang cookie. - -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 23:32:11 +0100 + -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 23:32:11 +0100 rabbitmq-server (3.9.8-5) unstable; urgency=medium - * Detect if /var/lib/rabbitmq/.erlang.cookie is an Erlang generated cookie, - regenerate and restart rabbitmq it in such case. + * Detect if /var/lib/rabbitmq/.erlang.cookie is an Erlang generated cookie, + regenerate and restart rabbitmq it in such case. - -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 14:14:56 +0100 + -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 14:14:56 +0100 rabbitmq-server (3.9.8-4) unstable; urgency=medium - * Use umask when creating the .erlang.cookie to avoid race condition where - the file could be read. + * Use umask when creating the .erlang.cookie to avoid race condition where + the file could be read. - -- Thomas Goirand <[email protected]> Mon, 24 Jan 2022 13:24:50 +0100 + -- Thomas Goirand <[email protected]> Mon, 24 Jan 2022 13:24:50 +0100 rabbitmq-server (3.9.8-3) unstable; urgency=medium - * Use OpenSSL to generate the default .erlang.cookie. - * Set rabbitmq-server.service to depend on epmd.socket and not [email protected]. - * Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as - it's been pointed out that upstream doc isn't good enough to explain what - is necessar for it (Closes: #924768). + * Use OpenSSL to generate the default .erlang.cookie. + * Set rabbitmq-server.service to depend on epmd.socket and not [email protected]. + * Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as + it's been pointed out that upstream doc isn't good enough to explain what + is necessar for it (Closes: #924768). - -- Thomas Goirand <[email protected]> Fri, 14 Jan 2022 10:05:34 +0100 + -- Thomas Goirand <[email protected]> Fri, 14 Jan 2022 10:05:34 +0100 rabbitmq-server (3.9.8-2) unstable; urgency=medium - * Finished removing the $LANG wrapper (Closes: #947872). - * Do not mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf - anymore (Closes: #943699). + * Finished removing the $LANG wrapper (Closes: #947872). + * Do not mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf + anymore (Closes: #943699). - -- Thomas Goirand <[email protected]> Tue, 28 Dec 2021 19:08:01 +0100 + -- Thomas Goirand <[email protected]> Tue, 28 Dec 2021 19:08:01 +0100 rabbitmq-server (3.9.8-1) unstable; urgency=medium - * New upstream release. - * d/control: Bump Standards-Version to 4.6.0, no changes. + * New upstream release. + * d/control: Bump Standards-Version to 4.6.0, no changes. - -- James Page <[email protected]> Tue, 02 Nov 2021 16:52:40 +0000 + -- James Page <[email protected]> Tue, 02 Nov 2021 16:52:40 +0000 rabbitmq-server (3.9.4-1.2) unstable; urgency=medium - * Non-maintainer upload. - * Add a superficial autopkgtest. - It just tests that the service is active after installation. This is not - great test coverage, but it will at least stop new erlang versions from - migrating before rabbitmq-server is fixed to work with it. - * debian/changelog: add missing Closes: tag in the previous upload. - I have just closed the actual bug via a separate control email. + * Non-maintainer upload. + * Add a superficial autopkgtest. + It just tests that the service is active after installation. This is not + great test coverage, but it will at least stop new erlang versions from + migrating before rabbitmq-server is fixed to work with it. + * debian/changelog: add missing Closes: tag in the previous upload. + I have just closed the actual bug via a separate control email. - -- Antonio Terceiro <[email protected]> Sat, 25 Sep 2021 06:38:37 + -- Antonio Terceiro <[email protected]> Sat, 25 Sep 2021 06:38:37 -0300 rabbitmq-server (3.9.4-1.1) unstable; urgency=medium - * Non-maintainer upload. - + * Non-maintainer upload. ### Old Ubuntu Delta ### rabbitmq-server (3.12.1-1ubuntu2) oracular; urgency=medium - * Added new dep8 tests (LP: #1679386): - - d/t/hello-world - - d/t/publish-subscribe - - d/t/rpc - - d/t/work-queue - - d/t/smoke-test: remove unnecessary redirection and shell set - * d/watch: update to find upstream tarball, and verify its signature - * d/upstream/signing-key.asc: added, downloaded from - https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc + * Added new dep8 tests (LP: #1679386): + - d/t/hello-world + - d/t/publish-subscribe + - d/t/rpc + - d/t/work-queue + - d/t/smoke-test: remove unnecessary redirection and shell set + * d/watch: update to find upstream tarball, and verify its signature + * d/upstream/signing-key.asc: added, downloaded from + https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc - -- Mitchell Dzurick <[email protected]> Tue, 23 Jul 2024 + -- Mitchell Dzurick <[email protected]> Tue, 23 Jul 2024 11:43:35 -0700 rabbitmq-server (3.12.1-1ubuntu1) noble; urgency=medium - * SECURITY UPDATE: Denial of service - - debian/patches/CVE-2023-46118-*.patch: Introduce HTTP request body limit - for definition uploads and Reduce default HTTP API request body size limit - to 10 MiB in deps/rabbitmq_management/Makefile, include/rabbit_mgmt.hrl, - priv/schema/rabbitmq_management.schema, src/rabbit_mgmt_util.erl, - src/rabbit_mgmt_wm_definitions.erl. - - CVE-2023-46118 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2023-46118-*.patch: Introduce HTTP request body limit + for definition uploads and Reduce default HTTP API request body size limit + to 10 MiB in deps/rabbitmq_management/Makefile, include/rabbit_mgmt.hrl, + priv/schema/rabbitmq_management.schema, src/rabbit_mgmt_util.erl, + src/rabbit_mgmt_wm_definitions.erl. + - CVE-2023-46118 - -- Leonidas Da Silva Barbosa <[email protected]> Wed, 22 Nov + -- Leonidas Da Silva Barbosa <[email protected]> Wed, 22 Nov 2023 16:07:37 -0300
** Description changed: NOTE: Due to LP: #2074309 it is unclear if newer upstream releases can/should be merged - resolve that bug before merging anything beyond debian revision updates or minor bugfixes. Upstream: tbd Debian: 3.10.8-3 3.12.1-1.1 Ubuntu: 3.12.1-1ubuntu2 Debian new has 3.12.1-1.1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Jammy Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### - rabbitmq-server (3.10.8-3) unstable; urgency=high - - * CVE-2023-46118: Denial of Service by publishing large messages over the - HTTP API. Applied upstream patches that introduce a limit of 10MB: - - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch - - Introduce_HTTP_request_body_limit_for_definition_uploads.patch - (Closes: #1056723). - - -- Thomas Goirand <[email protected]> Mon, 27 Nov 2023 08:31:07 +0100 - - rabbitmq-server (3.10.8-2) unstable; urgency=medium - - * Cleans better (Closes: #1046813). - - -- Thomas Goirand <[email protected]> Thu, 24 Aug 2023 11:50:05 +0200 - - rabbitmq-server (3.10.8-1.1) unstable; urgency=medium - - * Non-maintainer upload. - * No source change upload to rebuild with debhelper 13.10. - - -- Michael Biebl <[email protected]> Sat, 15 Oct 2022 12:42:19 +0200 - - rabbitmq-server (3.10.8-1) unstable; urgency=medium - - * New upstream release: - - Fix FTBFS with Erlang 25. - * lets-use-python3-not-python-binary.patch: removed 2 hunks commited - upstream. - * Add OOMScoreAdjust=-500 to the .service file. - - -- Thomas Goirand <[email protected]> Wed, 28 Sep 2022 15:40:58 +0200 - - rabbitmq-server (3.9.13-1) unstable; urgency=medium - - * New upstream release. - * Do not install rabbitmq-server-ha.ocf: it's removed upstream. - - -- Thomas Goirand <[email protected]> Wed, 23 Feb 2022 09:12:34 +0100 - - rabbitmq-server (3.9.8-6) unstable; urgency=medium - - * Use grep -q when checking for Erglang cookie. - - -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 23:32:11 +0100 - - rabbitmq-server (3.9.8-5) unstable; urgency=medium - - * Detect if /var/lib/rabbitmq/.erlang.cookie is an Erlang generated cookie, - regenerate and restart rabbitmq it in such case. - - -- Thomas Goirand <[email protected]> Thu, 27 Jan 2022 14:14:56 +0100 - - rabbitmq-server (3.9.8-4) unstable; urgency=medium - - * Use umask when creating the .erlang.cookie to avoid race condition where - the file could be read. - - -- Thomas Goirand <[email protected]> Mon, 24 Jan 2022 13:24:50 +0100 - - rabbitmq-server (3.9.8-3) unstable; urgency=medium - - * Use OpenSSL to generate the default .erlang.cookie. - * Set rabbitmq-server.service to depend on epmd.socket and not [email protected]. - * Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as - it's been pointed out that upstream doc isn't good enough to explain what - is necessar for it (Closes: #924768). - - -- Thomas Goirand <[email protected]> Fri, 14 Jan 2022 10:05:34 +0100 - - rabbitmq-server (3.9.8-2) unstable; urgency=medium - - * Finished removing the $LANG wrapper (Closes: #947872). - * Do not mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf - anymore (Closes: #943699). - - -- Thomas Goirand <[email protected]> Tue, 28 Dec 2021 19:08:01 +0100 - - rabbitmq-server (3.9.8-1) unstable; urgency=medium - - * New upstream release. - * d/control: Bump Standards-Version to 4.6.0, no changes. - - -- James Page <[email protected]> Tue, 02 Nov 2021 16:52:40 +0000 - - rabbitmq-server (3.9.4-1.2) unstable; urgency=medium - - * Non-maintainer upload. - * Add a superficial autopkgtest. - It just tests that the service is active after installation. This is not - great test coverage, but it will at least stop new erlang versions from - migrating before rabbitmq-server is fixed to work with it. - * debian/changelog: add missing Closes: tag in the previous upload. - I have just closed the actual bug via a separate control email. - - -- Antonio Terceiro <[email protected]> Sat, 25 Sep 2021 06:38:37 - -0300 - - rabbitmq-server (3.9.4-1.1) unstable; urgency=medium - - * Non-maintainer upload. + rabbitmq-server (3.12.1-1.1) experimental; urgency=medium + + * Non-maintainer upload. + * No source change upload to rebuild with debhelper >= 13.11.8 which + installs systemd units into /usr. ### Old Ubuntu Delta ### rabbitmq-server (3.12.1-1ubuntu2) oracular; urgency=medium * Added new dep8 tests (LP: #1679386): - d/t/hello-world - d/t/publish-subscribe - d/t/rpc - d/t/work-queue - d/t/smoke-test: remove unnecessary redirection and shell set * d/watch: update to find upstream tarball, and verify its signature * d/upstream/signing-key.asc: added, downloaded from https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc -- Mitchell Dzurick <[email protected]> Tue, 23 Jul 2024 11:43:35 -0700 rabbitmq-server (3.12.1-1ubuntu1) noble; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2023-46118-*.patch: Introduce HTTP request body limit for definition uploads and Reduce default HTTP API request body size limit to 10 MiB in deps/rabbitmq_management/Makefile, include/rabbit_mgmt.hrl, priv/schema/rabbitmq_management.schema, src/rabbit_mgmt_util.erl, src/rabbit_mgmt_wm_definitions.erl. - CVE-2023-46118 -- Leonidas Da Silva Barbosa <[email protected]> Wed, 22 Nov 2023 16:07:37 -0300 ** Summary changed: - Merge rabbitmq-server from Debian unstable for jammy + Merge rabbitmq-server from Debian unstable for plucky -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2085277 Title: Merge rabbitmq-server from Debian unstable for plucky To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2085277/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
