Debian Bug report logs -
#924768
CVE-2018-1279
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 17 Mar 2019 11:09:02 UTC
Severity: important
Tags: security
Fixed in version rabbitmq-server/3.9.8-3
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#924768; Package rabbitmq-server.
(Sun, 17 Mar 2019 11:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Sun, 17 Mar 2019 11:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rabbitmq-server
Severity: important
Tags: security
Please see https://pivotal.io/security/cve-2018-1279
It's not really clear whether this is a configuration error done by "RabbitMQ for PCF"
as a product by Pivotal or a generic issue. It's also possible that this is entirely
a documentation issue to be aware of when setting up a RabbitMQ server with multi
tenant setup.
Cheers,
Moritz
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 17 Mar 2019 21:12:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 17 Mar 2019 21:12:04 GMT) (full text, mbox, link).
Message #10 received at 924768-done@bugs.debian.org (full text, mbox, reply):
On 3/17/19 12:05 PM, Moritz Muehlenhoff wrote:
> Package: rabbitmq-server
> Severity: important
> Tags: security
>
> Please see https://pivotal.io/security/cve-2018-1279
>
> It's not really clear whether this is a configuration error done by "RabbitMQ for PCF"
> as a product by Pivotal or a generic issue. It's also possible that this is entirely
> a documentation issue to be aware of when setting up a RabbitMQ server with multi
> tenant setup.
>
> Cheers,
> Moritz
Hi Moritz,
Thanks for opening this bug and make sure everything is in order.
However, I believe that the issue is about "RabbitMQ for PCF" only,
meaning, not affecting Debian.
To setup a rabbitmq cluster, one needs to set an "erlang_cookie" with
the same value on all the RabbitMQ machines of the cluster. That's
probably what this is about, and that's therefore related to a specific
setup of RabbitMQ from Pivotal.
I therefore believe this bug can be closed.
Cheers,
Thomas Goirand (zigo)
Reply sent
to Dmitry Bogatov <KAction@debian.org>:
You have taken responsibility.
(Mon, 08 Apr 2019 17:06:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 08 Apr 2019 17:06:06 GMT) (full text, mbox, link).
Message #15 received at 924768-close@bugs.debian.org (full text, mbox, reply):
Source: runit
Source-Version: 2.1.2-28
We believe that the bug you reported is fixed in the latest version of
runit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Bogatov <KAction@debian.org> (supplier of updated runit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Apr 2019 16:40:06 +0000
Source: runit
Architecture: source
Version: 2.1.2-28
Distribution: experimental
Urgency: medium
Maintainer: Dmitry Bogatov <KAction@debian.org>
Changed-By: Dmitry Bogatov <KAction@debian.org>
Closes: 924688 924768
Changes:
runit (2.1.2-28) experimental; urgency=medium
.
* Change the supervise directory path of update-service to be consistent
with the path used in dh-runit. (Closes: #924688)
* Stop init.d script in invoke-run(5) (Closes: #924768)
Checksums-Sha1:
2262ab9b2c221b211f316222a880f380bffa7909 2152 runit_2.1.2-28.dsc
15408f2e54904328ae3624ce3e7f9899f073ec9e 29416 runit_2.1.2-28.debian.tar.xz
a8e8361f84feac3c0ab32b87cb60e209acc770c4 5348 runit_2.1.2-28_source.buildinfo
Checksums-Sha256:
4d37d4ec3e315793bb06cc08641119e33fb6bf0c9f5f226cbb7038b352c78ad6 2152 runit_2.1.2-28.dsc
084ff05aa0d74c3ed67e699c00083d6d2a22d684548feae49b226aa016ac505e 29416 runit_2.1.2-28.debian.tar.xz
87c719df408070c6b3a13b9e370b4404a9a86991f7f24410b13b7ba1d0e8e384 5348 runit_2.1.2-28_source.buildinfo
Files:
7d84a9c073ef652880191628ff819ddf 2152 admin optional runit_2.1.2-28.dsc
73eef96903ccafd5b2dbdc913d2efa98 29416 admin optional runit_2.1.2-28.debian.tar.xz
aefcbf6e9857bf04ece0da8e622d26ea 5348 admin optional runit_2.1.2-28_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEhnHVzDbtdH7ktKj4SBLY3qgmEeYFAlyrepETHGthY3Rpb25A
ZGViaWFuLm9yZwAKCRBIEtjeqCYR5vJfD/4oaorRU4+V/D5lEXXs1vc0cjuWUaoY
BXSf/a5zvzOHjY/aq8TPtYHwi1cR9qxpL21reIZNJR9rli+qtsbxkraPmsp2IKNr
99x0zgwZgKUhdbzb9x8yh5l6UMbA7gsj5hGaxQg72TZ+89LH6kft1JVph8Jshndq
nrid+8u7ihGTOEhIcG9kTefXRPWVXmK2p4jRJMOR3xjt7lBByHuBf0JVpjHKmqTS
odQoT7U7mXVNSJAa2HSC+pkH2v9KDIFCzu81R3JVYNiek1nnIKhu9aWij6fQcBSl
a9jtUrmQ0YKjFcnZ7w/31ql/D3Q//AKkSh4Sweb1FjUFswbQF+6xKZFtaKTqp0R3
X4RFrADD+KCDVEDrqXyDeQfz7CRmt2b7HlBAed8vysMcmrRWlePKke+Bg4uxT+q7
UffSzYpSW9R6iDUyanXl+i6AL/yOAg7ICukZWsb0hVMVKNIYRJXGecx9F0SYJeob
tlbcVN+SsvFWzPm6EriihEi/ydRPo6n8GadCeAcDYAfAlnRyxKpMSB+x+wHtXSuZ
jNniGFrmoFRc/RiwxHub4mbLwCc0kQh864Lb4eMiFdvPst9Bze8vD3JSA1kvWj09
qC0+yucb6BDesj8Uog8tQC14Z4LgiyghZANdyhEgboP4wFui9Cl/UEb2lERgmyTA
qKHua+sNbzp2jQ==
=4F2B
-----END PGP SIGNATURE-----
No longer marked as fixed in versions runit/2.1.2-28.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 08 Apr 2019 17:30:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 May 2019 07:27:57 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 13 Jan 2022 20:33:02 GMT) (full text, mbox, link).
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 13 Jan 2022 20:33:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#924768.
(Sat, 15 Jan 2022 11:09:02 GMT) (full text, mbox, link).
Message #26 received at 924768-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #924768 in rabbitmq-server reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/third-party/rabbitmq-server/-/commit/6e7c5b4e55b1e8330a0072aa1299be6cae2ecb6c
------------------------------------------------------------------------
* Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as
it's been pointed out that upstream doc isn't good enough to explain what
is necessar for it (Closes: #924768).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/924768
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 924768-submitter@bugs.debian.org.
(Sat, 15 Jan 2022 11:09:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#924768.
(Sat, 15 Jan 2022 11:09:04 GMT) (full text, mbox, link).
Message #31 received at 924768-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #924768 in rabbitmq-server reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/third-party/rabbitmq-server/-/commit/2e3e8081dba2dfbb105ae6501cb8b065ba749dce
------------------------------------------------------------------------
* Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as
it's been pointed out that upstream doc isn't good enough to explain what
is necessar for it (Closes: #924768).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/924768
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 24 Jan 2022 09:39:02 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Jan 2022 09:39:02 GMT) (full text, mbox, link).
Message #36 received at 924768-close@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
Source-Version: 3.9.8-3
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Jan 2022 10:05:34 +0100
Source: rabbitmq-server
Architecture: source
Version: 3.9.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 924768
Changes:
rabbitmq-server (3.9.8-3) unstable; urgency=medium
.
* Use OpenSSL to generate the default .erlang.cookie.
* Set rabbitmq-server.service to depend on epmd.socket and not epmd@.socket.
* Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as
it's been pointed out that upstream doc isn't good enough to explain what
is necessar for it (Closes: #924768).
Checksums-Sha1:
d394ee903e2405fe99705d22d44073b06ad64147 2688 rabbitmq-server_3.9.8-3.dsc
18bdf96cd66251f831de76390c358bc0cf07b2be 23904 rabbitmq-server_3.9.8-3.debian.tar.xz
eb01aa59c7da71eb0fb1db0fb93d5ef4e4ae3bb6 8272 rabbitmq-server_3.9.8-3_amd64.buildinfo
Checksums-Sha256:
3abca6cb46de55b58f15ab973ee2ba986d2ac2a9ce9f9867acbda994d86f5102 2688 rabbitmq-server_3.9.8-3.dsc
44f51c21a1c59676222d76f1d6cfa23ef3ae2ebe9487883ed83b3c84cffdee48 23904 rabbitmq-server_3.9.8-3.debian.tar.xz
b37177db803244d4f538ecdaa34885ea164c949ff04fdb71afe7938a779ddfdd 8272 rabbitmq-server_3.9.8-3_amd64.buildinfo
Files:
09d98294615b3cf348405df70a0f5d57 2688 net optional rabbitmq-server_3.9.8-3.dsc
a57c86a1aed52c746852ac5ef1f6c5a4 23904 net optional rabbitmq-server_3.9.8-3.debian.tar.xz
7304b3eee1908a591da75a75d5b4348d 8272 net optional rabbitmq-server_3.9.8-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmHucFcACgkQ1BatFaxr
Q/5LmA/9Er4xRRc09mb+0CIUDJnSbwcblytEG2759WcfNNecXlSYLtPU9cfMxPsQ
C0IMXuDGSOly/OAy4e5aXIR7S2IsKfLsWioLQFpJNFg9yzw5xwVzH9cnuUobO/eI
47XYNnWXf4BjSLN121msvRz3v5XTkLGgbfEIEJz/1y5vyB/7jEQ/Tgd/TBT32PQd
vq2PjSnVpOg4rijNZB/ZCjtBVAL/RYp8xIVHcyIzPPV39Vgmp42P4vi1nFEnAsks
eK5xc7laxLNAKd87sokqpnXbrnb60txrgqeLTN4BZl9VtgP4pWHrsDPbTEFq4xIe
b8/Ih7HMGoB9mscJPLvpPEEKuHwKLyrP+gSyrHYI4sUd/aNDPBurnT189FaYUnG4
s/ZswukhOtPhVavryt6G9J1sIugXVVp8FlgG/NzIpP9b6b4WfojdJauihLLDAT3z
f1SST6tBOb0FX6bbYkiCnQvavARbibMWm+eN4m0dLPyu40jYAWTCqonTdefIf2H1
HcAkfKuhy4SjHYXlk2w8ayD0CqWcU5ZE+9l1ZBn+ass7fATo515uKIklqPuwcAUk
BkbOQKokZ8s4r4DOcsK2i9I5313W22ez0zza8YdoGvKJ+/sRboX00nYINHo8wxy/
T8E+IXb9k6jRSDmhRGmfV/Pf0yqa+NoabBiM4SpqNvdn/5jZAHc=
=7NGM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 5 12:09:02 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon