A CVE was requested for a fix for two security issues from 3.4.1: http://openwall.com/lists/oss-security/2015/01/21/13 I've added the upstream patch in Cauldron and rediffed it for the version we have in Mageia 4 and added it in SVN. Waiting on a CVE assignment before pushing the Mageia 4 update. Reproducible: Steps to Reproduce:
CVE-2014-9649 and CVE-2014-9650 have been assigned: http://openwall.com/lists/oss-security/2015/01/27/8 Additionally, CVE-2015-0862 has been fixed upstream in 3.4.3: http://www.rabbitmq.com/news.html We really should update this to 3.4.3.
Version: 4 => CauldronSummary: rabbitmq-server new security issues fixed upstream in 3.4.1 => rabbitmq-server new security issues fixed upstream in 3.4.1 and 3.4.3Whiteboard: (none) => MGA4TOO
Blocks: (none) => 14674
Dropped from Cauldron for now. Feel free to resubmit it to Mageia 5 once it has been updated to 3.4.x.
Version: Cauldron => 4Blocks: 14674 => (none)Whiteboard: MGA4TOO => (none)
I'm working on updating to 3.5.3 for mga4 and also for Cauldron based on fedora's package.
CC: (none) => geiger.david68210
ok, now rabbitmq-server-3.5.3-1.mga4 submitted and uploaded for mga4. So if your are agree with my changes, I must yet committed my changes into Cauldron SVN and go for a freeze_push request. And I think we can remove the obsoleted rabbitmq-server from task-obsolete package.
Let's not bring it back into Cauldron right now. If you want to become the maintainer, you can push it once Cauldron reopens. If you really want to maintain it for Mageia 5, we can push it as an update later.
Thanks David! Advisory: ======================== Updated rabbitmq-server package fixes security vulnerabilities: RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error messages which could act as an XSS vector (CVE-2014-9649). RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads (CVE-2014-9650). In RabbitMQ before 3.4.3, some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI. An attacker could publish a specially crafted message, policy name, or client version to execute arbitrary Javascript code on behalf of a user who was viewing messages, policies, or connected clients in the management UI. In all cases, the attacker needs a valid user account on the targetted RabbitMQ cluster (CVE-2015-0862). The rabbitmq-server package has been updated to version 3.5.3, fixing these issues and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9649 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0862 https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs http://openwall.com/lists/oss-security/2015/01/27/8 http://www.rabbitmq.com/news.html ======================== Updated packages in core/updates_testing: ======================== rabbitmq-server-3.5.3-1.mga4 from rabbitmq-server-3.5.3-1.mga4.src.rpm
CC: (none) => pmdenielouAssignee: pmdenielou => qa-bugs
In VirtualBox, M4, KDE, 32-bit Package(s) under test: rabbitmq-server default install of rabbitmq-server [root@localhost wilcal]# urpmi rabbitmq-server Package rabbitmq-server-3.1.5-3.mga4.noarch is already installed [root@localhost wilcal]# service rabbitmq-server start Starting rabbitmq-server: SUCCESS rabbitmq-server. [root@localhost wilcal]# service rabbitmq-server status Status of node rabbit@localhost ... [{pid,6347}, {running_applications,[{rabbit,"RabbitMQ","3.1.5"}, {mnesia,"MNESIA CXC 138 12","4.10"}, {os_mon,"CPO CXC 138 46","2.2.13"}, {xmerl,"XML parser","1.3.4"}, {sasl,"SASL CXC 138 11","2.3.3"}, {stdlib,"ERTS CXC 138 10","1.19.3"}, {kernel,"ERTS CXC 138 10","2.16.3"}]}, {os,{unix,linux}}, {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"}, {memory,[{total,21019672}, {connection_procs,1436}, {queue_procs,2872}, {plugins,0}, {other_proc,8846772}, {mnesia,30960}, {mgmt_db,0}, {msg_index,11428}, {other_ets,369052}, {binary,10944}, {code,8703978}, {atom,461133}, {other_system,2581097}]}, {vm_memory_high_watermark,0.4}, {vm_memory_limit,1486900428}, {disk_free_limit,1000000000}, {disk_free,2190446592}, {file_descriptors,[{total_limit,924}, {total_used,3}, {sockets_limit,829}, {sockets_used,1}]}, {processes,[{limit,1048576},{used,123}]}, {run_queue,0}, {uptime,19}] ...done. install rabbitmq-server from updates_testing [root@localhost wilcal]# urpmi rabbitmq-server Package rabbitmq-server-3.5.3-1.mga4.noarch is already installed [root@localhost wilcal]# service rabbitmq-server start Starting rabbitmq-server (via systemctl): [ OK ] [root@localhost wilcal]# service rabbitmq-server status Status of node rabbit@localhost ... [{pid,10156}, {running_applications,[{rabbit,"RabbitMQ","3.5.3"}, {mnesia,"MNESIA CXC 138 12","4.10"}, {os_mon,"CPO CXC 138 46","2.2.13"}, {xmerl,"XML parser","1.3.4"}, {sasl,"SASL CXC 138 11","2.3.3"}, {stdlib,"ERTS CXC 138 10","1.19.3"}, {kernel,"ERTS CXC 138 10","2.16.3"}]}, {os,{unix,linux}}, {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"}, {memory,[{total,21231928}, {connection_readers,0}, {connection_writers,0}, {connection_channels,0}, {connection_other,1436}, {queue_procs,1436}, {queue_slave_procs,0}, {plugins,0}, {other_proc,8947284}, {mnesia,31008}, {mgmt_db,0}, {msg_index,18044}, {other_ets,371972}, {binary,14712}, {code,8793441}, {atom,465229}, {other_system,2587366}]}, {alarms,[]}, {listeners,[{clustering,25672,"::"},{amqp,5672,"::"}]}, {vm_memory_high_watermark,0.4}, {vm_memory_limit,858993459}, {disk_free_limit,50000000}, {disk_free,2184261632}, {file_descriptors,[{total_limit,924}, {total_used,3}, {sockets_limit,829}, {sockets_used,1}]}, {processes,[{limit,1048576},{used,124}]}, {run_queue,0}, {uptime,44}] Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
Is this sufficient testing for this?
In VirtualBox, M4, KDE, 64-bit Package(s) under test: rabbitmq-server default install of rabbitmq-server [root@localhost wilcal]# urpmi rabbitmq-server Package rabbitmq-server-3.1.5-3.mga4.noarch is already installed [root@localhost wilcal]# service rabbitmq-server start Starting rabbitmq-server: SUCCESS rabbitmq-server. [root@localhost wilcal]# service rabbitmq-server status Status of node rabbit@localhost ... [{pid,3881}, {running_applications,[{rabbit,"RabbitMQ","3.1.5"}, {mnesia,"MNESIA CXC 138 12","4.10"}, {os_mon,"CPO CXC 138 46","2.2.13"}, {xmerl,"XML parser","1.3.4"}, {sasl,"SASL CXC 138 11","2.3.3"}, {stdlib,"ERTS CXC 138 10","1.19.3"}, {kernel,"ERTS CXC 138 10","2.16.3"}]}, {os,{unix,linux}}, {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"}, {memory,[{total,35450816}, {connection_procs,2800}, {queue_procs,5600}, {plugins,0}, {other_proc,13504864}, {mnesia,60496}, {mgmt_db,0}, {msg_index,22392}, {other_ets,729672}, {binary,8568}, {code,16474078}, {atom,594537}, {other_system,4047809}]}, {vm_memory_high_watermark,0.4}, {vm_memory_limit,1658994688}, {disk_free_limit,1000000000}, {disk_free,2540666880}, {file_descriptors,[{total_limit,924}, {total_used,3}, {sockets_limit,829}, {sockets_used,1}]}, {processes,[{limit,1048576},{used,123}]}, {run_queue,0}, {uptime,11}] ...done. install rabbitmq-server from updates_testing [root@localhost wilcal]# urpmi rabbitmq-server Package rabbitmq-server-3.5.3-1.mga4.noarch is already installed [root@localhost wilcal]# service rabbitmq-server start Starting rabbitmq-server (via systemctl): [ OK ] [root@localhost wilcal]# service rabbitmq-server status Status of node rabbit@localhost ... [{pid,1404}, {running_applications,[{rabbit,"RabbitMQ","3.5.3"}, {mnesia,"MNESIA CXC 138 12","4.10"}, {os_mon,"CPO CXC 138 46","2.2.13"}, {xmerl,"XML parser","1.3.4"}, {sasl,"SASL CXC 138 11","2.3.3"}, {stdlib,"ERTS CXC 138 10","1.19.3"}, {kernel,"ERTS CXC 138 10","2.16.3"}]}, {os,{unix,linux}}, {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"}, {memory,[{total,35479304}, {connection_readers,0}, {connection_writers,0}, {connection_channels,0}, {connection_other,2800}, {queue_procs,2800}, {queue_slave_procs,0}, {plugins,0}, {other_proc,13299400}, {mnesia,60560}, {mgmt_db,0}, {msg_index,37392}, {other_ets,735824}, {binary,13064}, {code,16665573}, {atom,602729}, {other_system,4059162}]}, {alarms,[]}, {listeners,[{clustering,25672,"::"},{amqp,5672,"::"}]}, {vm_memory_high_watermark,0.4}, {vm_memory_limit,1658994688}, {disk_free_limit,50000000}, {disk_free,2534621184}, {file_descriptors,[{total_limit,924}, {total_used,3}, {sockets_limit,829}, {sockets_used,1}]}, {processes,[{limit,1048576},{used,124}]}, {run_queue,0}, {uptime,72}]
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0240.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/647621/