Debian Bug report logs -
#863586
CVE-2017-4965 CVE-2017-4966 CVE-2017-4967
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 28 May 2017 20:54:02 UTC
Severity: grave
Tags: security, stretch-ignore
Found in version rabbitmq-server/3.6.6-1
Fixed in version rabbitmq-server/3.6.10-1
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#863586; Package rabbitmq-server.
(Sun, 28 May 2017 20:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sun, 28 May 2017 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rabbitmq-server
Severity: grave
Tags: security
Please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-4965
https://security-tracker.debian.org/tracker/CVE-2017-4966
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-4967
Cheers,
Moritz
Marked as found in versions rabbitmq-server/3.6.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 May 2017 05:45:04 GMT) (full text, mbox, link).
Added tag(s) stretch-ignore.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Sat, 03 Jun 2017 17:15:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to control@bugs.debian.org.
(Wed, 28 Jun 2017 13:06:04 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#863586.
(Wed, 28 Jun 2017 13:06:06 GMT) (full text, mbox, link).
Message #14 received at 863586-submitter@bugs.debian.org (full text, mbox, reply):
tag 863586 pending
thanks
Hello,
Bug #863586 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/openstack/rabbitmq-server.git/commit/?id=b7e220a
---
commit b7e220a1505974928053193f07de85da06c7c8f1
Author: Thomas Goirand <zigo@debian.org>
Date: Wed Jun 28 15:03:36 2017 +0200
* New upstream release (Closes: #863586), fixing multiple issues:
- CVE-2017-4965: XSS vulnerabilities in management UI
- CVE-2017-4966: authentication details are stored in browser-local storage
without expiration
- CVE-2017-4967: XSS vulnerabilities in management UI
diff --git a/debian/changelog b/debian/changelog
index ce6823c..08e3b69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+rabbitmq-server (3.6.10-1) unstable; urgency=medium
+
+ * New upstream release (Closes: #863586), fixing multiple issues:
+ - CVE-2017-4965: XSS vulnerabilities in management UI
+ - CVE-2017-4966: authentication details are stored in browser-local storage
+ without expiration
+ - CVE-2017-4967: XSS vulnerabilities in management UI
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 28 Jun 2017 15:00:41 +0200
+
rabbitmq-server (3.6.6-1) unstable; urgency=medium
[ Ondřej Nový ]
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 28 Jun 2017 18:33:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 28 Jun 2017 18:33:04 GMT) (full text, mbox, link).
Message #19 received at 863586-close@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
Source-Version: 3.6.10-1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863586@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Jun 2017 15:00:41 +0200
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source all
Version: 3.6.10-1
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 863586
Changes:
rabbitmq-server (3.6.10-1) unstable; urgency=medium
.
* New upstream release (Closes: #863586), fixing multiple issues:
- CVE-2017-4965: XSS vulnerabilities in management UI
- CVE-2017-4966: authentication details are stored in browser-local storage
without expiration
- CVE-2017-4967: XSS vulnerabilities in management UI
Checksums-Sha1:
9a31d29329c59ba97fed975dc23922c7cbcbb236 2206 rabbitmq-server_3.6.10-1.dsc
0d879f998683079a31c1e872ce4c5640ebd35406 1426900 rabbitmq-server_3.6.10.orig.tar.xz
a70c927703f243e2a67b38fa0e652b4634cf96e1 16716 rabbitmq-server_3.6.10-1.debian.tar.xz
2ab1b28a7567f6856dd7d263d719af72f1247460 4628300 rabbitmq-server_3.6.10-1_all.deb
296887047e083b8df7747267be534f2d2c50df03 8302 rabbitmq-server_3.6.10-1_amd64.buildinfo
Checksums-Sha256:
2d7dc255d4377b790b4f3c49d5ec99ca0a28d6057a7b16db7f7ff6dae3ecade0 2206 rabbitmq-server_3.6.10-1.dsc
0f478950a3e27b6b3b5aa57098eaf91822321d716a9b0bc30a4084a2c283394c 1426900 rabbitmq-server_3.6.10.orig.tar.xz
262287ba89df1107e44064913234fde209e3ed6ec72f2121389cc3926243e91f 16716 rabbitmq-server_3.6.10-1.debian.tar.xz
ba51a6c7232f5fe6f6591e53b1e53651f70de0b23be5b96d682b856aace13e12 4628300 rabbitmq-server_3.6.10-1_all.deb
13d64cbe88fa80395a0ae90bb451bf8f3097d651f6a210c2d903fa1993e9e852 8302 rabbitmq-server_3.6.10-1_amd64.buildinfo
Files:
d98445bfb41dab17b66a588dda5b4bc2 2206 net extra rabbitmq-server_3.6.10-1.dsc
3b2e7514a016a81859443723f6be514b 1426900 net extra rabbitmq-server_3.6.10.orig.tar.xz
745f627bcf6cc676c62e27e2f76e6bcc 16716 net extra rabbitmq-server_3.6.10-1.debian.tar.xz
e54ce7e61417d2a1d3a16d2d7d44b9ab 4628300 net extra rabbitmq-server_3.6.10-1_all.deb
20630f389b0673ae3cf4ecc780ccaf02 8302 net extra rabbitmq-server_3.6.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAllTrS4ACgkQ1BatFaxr
Q/5Bvw/+NbKRB6/f3S+moGnF3FJ/PZsSf+2MPbFJFJu2O209xHGXY8IxWGcpbpoT
yb73vwgx6kqTytrhb3r/igHRi5cZA7QsTpbpcUSdXajTbQxeGlDFmApF3K2wcYg6
6B3Xra4Wy50eyFXehx/3TV3JKZ+uFx+J/y5wzyNzIWXnPtfO5IyHRf1yc8ubA7dW
t+65xeBZx/Iaj35zLxaOLALw82tOvlePBOf6s6nbFrHoCqAnf7vg/aBXOoBe4sUL
PfXGr9fpS9DPmn/G35dNBqKy/aW5srFmeMFmXpv4cZZ2ru17NPbbJKjjiL8RpRJC
qwP4eyAMEbHrP1/LLkAQgPtgrKMmhYnyDfoIpFsJ3hqyPS4gFnfZQCV6Fqr+GsHS
CTCrIGKQvxPL7hgU9Z4Vhvz/1lv+RUPMM5uO575ETtDGjlMhqUY4UBY1bae0JEIN
Yilp9Yv30PU9KzkahMmWqSxJkvGPYt2WFieHulAC0pzq4Ll3PHdZ6H/vWc6KSF02
x02O9igLlWWtkBmDRN5oef4UqvF7HwZ3bhaACa7AGX6zYw4ILlluLwK1HTcP2EcE
G1TqgoeVnJn4KDy0zngJHLMF1YgnMQUr2xysrIQUe19902XLrWAV+Mpvhe484/4O
3xiEj4NruJ++SL+SV0h9WexOpVrziFDxRfwtnNyTFTLtxW2yOsg=
=79hm
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:51:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon