[PKG-Openstack-devel] Bug#849849: rabbitmq-server: CVE-2016-9877
Balint Reczey
balint at balintreczey.hu
Fri Jan 6 00:59:37 UTC 2017
Hi,
On Sun, 01 Jan 2017 12:13:30 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
...
>
> Hi,
>
> the following vulnerability was published for rabbitmq-server.
>
> CVE-2016-9877[0]:
> | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
> | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
> | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
> | connection authentication with a username/password pair succeeds if an
> | existing username is provided but the password is omitted from the
> | connection request. Connections that use TLS with a client-provided
> | certificate are not affected.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9877
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
> [1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
> [2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
>
> Please adjust the affected versions in the BTS as needed. I was only
> able to check the vulnerability sourcewise for 3.6.5 in unstable,
> older version have not been checked so far.
I'm attaching a proposed patch for jessie which builds fine but has not
been tested further.
Wheezy is not affected since the vulnerable mqtt plugin is not present.
Cheers,
Balint
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Auth-issue-fix-039a3c22e57bf77b325d19494a9b20cd745f1.patch
Type: text/x-patch
Size: 4486 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20170106/f3c94324/attachment.bin>
More information about the Openstack-devel
mailing list