Public bug reported: Scheduled-For: ubuntu-25.11 Ubuntu: 4.0.5-8ubuntu2 Debian Unstable: 4.0.5-10
A new release of rabbitmq-server is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tagging from ['needs-merge', 'upgrade-software-version'] to ['needs- sync', 'upgrade-software-version'], and (optionally) update the title as desired. ### New Debian Changes ### rabbitmq-server (4.0.5-10) unstable; urgency=medium * Removed python3-simplejson build-depends (Closes: #1093307). -- Thomas Goirand <[email protected]> Mon, 18 Aug 2025 23:31:11 +0200 rabbitmq-server (4.0.5-9) unstable; urgency=high * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch. (Closes: #1108075) -- Thomas Goirand <[email protected]> Mon, 18 Aug 2025 18:37:26 +0200 ### Old Ubuntu Delta ### rabbitmq-server (4.0.5-8ubuntu2) questing; urgency=medium * SECURITY UPDATE: authorization headers logged in plaintext (in base64) - debian/patches/CVE-2025-50200.patch: fix the exception logged by Cowboy caused by double reply in src/rabbit_mgmt_util.erl, src/rabbit_mgmt_wm_exchange_publish.erl, src/rabbit_mgmt_wm_queue_actions.erl, src/rabbit_mgmt_wm_queue_get.erl. - CVE-2025-50200 -- Marc Deslauriers <[email protected]> Fri, 19 Sep 2025 11:36:28 -0400 rabbitmq-server (4.0.5-8ubuntu1) questing; urgency=medium * Merge with Debian unstable (LP: #2120563). Remaining changes: - d/rules: Enable rabbitmq-streams entrypoint. - d/p/rabbitmq-dist.mk.patch: Drop, no longer needed. * Dropped: - Added new dep8 tests (LP #1679386) [In 4.0.5-7] - d/rules: Set PROJECT_VERSION to fix internal module versioning issues. [In 4.0.5-8] -- Andreas Hasenack <[email protected]> Wed, 13 Aug 2025 11:00:09 -0300 ** Affects: rabbitmq-server (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126011 Title: Merge rabbitmq-server from Debian Unstable for r-series To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2126011/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
