[PKG-Openstack-devel] Bug#849849: rabbitmq-server: CVE-2016-9877
balint at balintreczey.hu
Fri Jan 6 00:59:37 UTC 2017
On Sun, 01 Jan 2017 12:13:30 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> the following vulnerability was published for rabbitmq-server.
> | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
> | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
> | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
> | connection authentication with a username/password pair succeeds if an
> | existing username is provided but the password is omitted from the
> | connection request. Connections that use TLS with a client-provided
> | certificate are not affected.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  https://security-tracker.debian.org/tracker/CVE-2016-9877
>  https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
>  https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
> Please adjust the affected versions in the BTS as needed. I was only
> able to check the vulnerability sourcewise for 3.6.5 in unstable,
> older version have not been checked so far.
I'm attaching a proposed patch for jessie which builds fine but has not
been tested further.
Wheezy is not affected since the vulnerable mqtt plugin is not present.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4486 bytes
Desc: not available
More information about the Openstack-devel