Bug 29174

Summary: rabbitmq-server new security issue CVE-2021-22116 and CVE-2021-3271[89]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: rabbitmq-server-3.8.9-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 25970    

Description David Walser 2021-06-25 00:20:42 CEST 
Ubuntu has issued an advisory today (June 24):
https://ubuntu.com/security/notices/USN-5004-1

The issue is fixed upstream in 2.8.16.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-25 00:21:06 CEST

Blocks: (none) => 25970
CC: (none) => mageia
Whiteboard: (none) => MGA8TOO, MGA7TOO
Severity: normal => major
Status comment: (none) => Fixed upstream in 3.8.16

Comment 1 David Walser 2021-07-01 18:59:27 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 2 David Walser 2021-07-06 16:38:29 CEST 
Fedora has issued an advisory today (July 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3GCM7AYCAYK5PUWXDCR7CMTQSERKK4KK/

It fixes two CVEs:
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x

Details of upstream releases:
https://www.rabbitmq.com/news.html
https://www.rabbitmq.com/changelog.html
https://github.com/rabbitmq/rabbitmq-server/releases

Status comment: Fixed upstream in 3.8.16 => Fixed upstream in 3.8.18
Summary: rabbitmq-server new security issue CVE-2021-22116 => rabbitmq-server new security issue CVE-2021-22116 and CVE-2021-3271[89]

Comment 3 Nicolas Lécureuil 2021-08-01 19:55:29 CEST 
updated in cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Nicolas Lécureuil 2021-08-01 19:58:54 CEST 
fixed in mga8


src:
    -  rabbitmq-server-3.8.18-1.mga8

Status comment: Fixed upstream in 3.8.18 => (none)
Assignee: java => qa-bugs

Comment 5 Herman Viaene 2021-08-03 16:01:07 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 11054 for tests.
# systemctl -l status rabbitmq-server
● rabbitmq-server.service - RabbitMQ broker
     Loaded: loaded (/usr/lib/systemd/system/rabbitmq-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

# systemctl -l start rabbitmq-server 

# systemctl -l status rabbitmq-server
● rabbitmq-server.service - RabbitMQ broker
     Loaded: loaded (/usr/lib/systemd/system/rabbitmq-server.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-08-03 15:50:25 CEST; 4s ago
   Main PID: 9700 (beam.smp)
     Status: "Initialized"
      Tasks: 27 (limit: 9402)
     Memory: 92.1M
        CPU: 7.685s
     CGroup: /system.slice/rabbitmq-server.service
             ├─9700 /usr/lib64/erlang/erts-11.1.5/bin/beam.smp -W w -MBas ageffcbf -MHas ageffcbf -MBlmbcs 512 -MHlmbcs 512 -MMmcs 30 -P 1048576 -t 5000000 -stbt db -zdbbl 128000 -sbwt none>
             ├─9709 erl_child_setup 1024
             ├─9763 inet_gethost 4
             └─9764 inet_gethost 4

aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   TLS Library: OpenSSL - OpenSSL 1.1.1k  25 Mar 2021
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Doc guides:  https://rabbitmq.com/documentation.html
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Support:     https://rabbitmq.com/contact.html
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Tutorials:   https://rabbitmq.com/getstarted.html
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Monitoring:  https://rabbitmq.com/monitoring.html
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Logs: /var/log/rabbitmq/rabbit@mach5.log
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:         /var/log/rabbitmq/rabbit@mach5_upgrade.log
aug 03 15:50:19 mach5.hviaene.thuis rabbitmq-server[9700]:   Config file(s): /etc/rabbitmq/rabbitmq.conf
aug 03 15:50:25 mach5.hviaene.thuis rabbitmq-server[9700]:   Starting broker... completed with 0 plugins.
aug 03 15:50:25 mach5.hviaene.thuis systemd[1]: Started RabbitMQ broker.

# rabbitmq-plugins enable rabbitmq_management
Enabling plugins on node rabbit@mach5:
rabbitmq_management
The following plugins have been configured:
  rabbitmq_management
  rabbitmq_management_agent
  rabbitmq_web_dispatch
Applying plugin configuration to rabbit@mach5...
The following plugins have been enabled:
  rabbitmq_management
  rabbitmq_management_agent
  rabbitmq_web_dispatch

started 3 plugins.

Looks OKto me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2021-08-06 02:58:17 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-08-06 10:50:07 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-08-06 11:35:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0390.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED