Bug 15120 - rabbitmq-server new security issues fixed upstream in 3.4.1 and 3.4.3
Summary: rabbitmq-server new security issues fixed upstream in 3.4.1 and 3.4.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/647621/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-23 14:35 CET by David Walser
Modified: 2015-06-09 18:54 CEST (History)
4 users (show)

See Also:
Source RPM: rabbitmq-server-3.1.5-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-23 14:35:49 CET
A CVE was requested for a fix for two security issues from 3.4.1:
http://openwall.com/lists/oss-security/2015/01/21/13

I've added the upstream patch in Cauldron and rediffed it for the version we have in Mageia 4 and added it in SVN.

Waiting on a CVE assignment before pushing the Mageia 4 update.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-27 20:16:42 CET
CVE-2014-9649 and CVE-2014-9650 have been assigned:
http://openwall.com/lists/oss-security/2015/01/27/8

Additionally, CVE-2015-0862 has been fixed upstream in 3.4.3:
http://www.rabbitmq.com/news.html

We really should update this to 3.4.3.

Version: 4 => Cauldron
Summary: rabbitmq-server new security issues fixed upstream in 3.4.1 => rabbitmq-server new security issues fixed upstream in 3.4.1 and 3.4.3
Whiteboard: (none) => MGA4TOO

David Walser 2015-01-27 23:37:31 CET

Blocks: (none) => 14674

Comment 2 David Walser 2015-02-23 14:45:47 CET
Dropped from Cauldron for now.  Feel free to resubmit it to Mageia 5 once it has been updated to 3.4.x.

Version: Cauldron => 4
Blocks: 14674 => (none)
Whiteboard: MGA4TOO => (none)

Comment 3 David GEIGER 2015-05-24 11:16:57 CEST
I'm working on updating to 3.5.3 for mga4 and also for Cauldron based on fedora's package.

CC: (none) => geiger.david68210

Comment 4 David GEIGER 2015-05-24 16:18:23 CEST
ok, now rabbitmq-server-3.5.3-1.mga4 submitted and uploaded for mga4.

So if your are agree with my changes, I must yet committed my changes into Cauldron SVN and go for a freeze_push request.

And I think we can remove the obsoleted rabbitmq-server from task-obsolete package.
Comment 5 David Walser 2015-05-24 18:01:43 CEST
Let's not bring it back into Cauldron right now.  If you want to become the maintainer, you can push it once Cauldron reopens.  If you really want to maintain it for Mageia 5, we can push it as an update later.
Comment 6 David Walser 2015-05-24 18:17:27 CEST
Thanks David!

Advisory:
========================

Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
(CVE-2014-9650).

In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
cluster (CVE-2015-0862).

The rabbitmq-server package has been updated to version 3.5.3, fixing these
issues and several other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0862
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
http://openwall.com/lists/oss-security/2015/01/27/8
http://www.rabbitmq.com/news.html
========================

Updated packages in core/updates_testing:
========================
rabbitmq-server-3.5.3-1.mga4

from rabbitmq-server-3.5.3-1.mga4.src.rpm

CC: (none) => pmdenielou
Assignee: pmdenielou => qa-bugs

Comment 7 William Kenney 2015-06-01 17:05:33 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
rabbitmq-server

default install of rabbitmq-server

[root@localhost wilcal]# urpmi rabbitmq-server                                                                                                    
Package rabbitmq-server-3.1.5-3.mga4.noarch is already installed

[root@localhost wilcal]# service rabbitmq-server start
Starting rabbitmq-server: SUCCESS
rabbitmq-server.

[root@localhost wilcal]# service rabbitmq-server status
Status of node rabbit@localhost ...
[{pid,6347},
 {running_applications,[{rabbit,"RabbitMQ","3.1.5"},
                        {mnesia,"MNESIA  CXC 138 12","4.10"},
                        {os_mon,"CPO  CXC 138 46","2.2.13"},
                        {xmerl,"XML parser","1.3.4"},
                        {sasl,"SASL  CXC 138 11","2.3.3"},
                        {stdlib,"ERTS  CXC 138 10","1.19.3"},
                        {kernel,"ERTS  CXC 138 10","2.16.3"}]},
 {os,{unix,linux}},
 {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
 {memory,[{total,21019672},
          {connection_procs,1436},
          {queue_procs,2872},
          {plugins,0},
          {other_proc,8846772},
          {mnesia,30960},
          {mgmt_db,0},
          {msg_index,11428},
          {other_ets,369052},
          {binary,10944},
          {code,8703978},
          {atom,461133},
          {other_system,2581097}]},
 {vm_memory_high_watermark,0.4},
 {vm_memory_limit,1486900428},
 {disk_free_limit,1000000000},
 {disk_free,2190446592},
 {file_descriptors,[{total_limit,924},
                    {total_used,3},
                    {sockets_limit,829},
                    {sockets_used,1}]},
 {processes,[{limit,1048576},{used,123}]},
 {run_queue,0},
 {uptime,19}]                                                                                                                                                          
...done.          

install rabbitmq-server from updates_testing

[root@localhost wilcal]# urpmi rabbitmq-server
Package rabbitmq-server-3.5.3-1.mga4.noarch is already installed

[root@localhost wilcal]# service rabbitmq-server start
Starting rabbitmq-server (via systemctl):        [  OK  ]

[root@localhost wilcal]# service rabbitmq-server status
Status of node rabbit@localhost ...
[{pid,10156},
 {running_applications,[{rabbit,"RabbitMQ","3.5.3"},
                        {mnesia,"MNESIA  CXC 138 12","4.10"},
                        {os_mon,"CPO  CXC 138 46","2.2.13"},
                        {xmerl,"XML parser","1.3.4"},
                        {sasl,"SASL  CXC 138 11","2.3.3"},
                        {stdlib,"ERTS  CXC 138 10","1.19.3"},
                        {kernel,"ERTS  CXC 138 10","2.16.3"}]},
 {os,{unix,linux}},
 {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
 {memory,[{total,21231928},
          {connection_readers,0},
          {connection_writers,0},
          {connection_channels,0},
          {connection_other,1436},
          {queue_procs,1436},
          {queue_slave_procs,0},
          {plugins,0},
          {other_proc,8947284},
          {mnesia,31008},
          {mgmt_db,0},
          {msg_index,18044},
          {other_ets,371972},
          {binary,14712},
          {code,8793441},
          {atom,465229},
          {other_system,2587366}]},                                                                                               
 {alarms,[]},                                                                                                                                     
 {listeners,[{clustering,25672,"::"},{amqp,5672,"::"}]},                                                                                          
 {vm_memory_high_watermark,0.4},                                                                                                                  
 {vm_memory_limit,858993459},                                                                                                                     
 {disk_free_limit,50000000},                                                                                                                      
 {disk_free,2184261632},                                                                                                                          
 {file_descriptors,[{total_limit,924},                                                                                                            
                    {total_used,3},                                                                                                               
                    {sockets_limit,829},                                                                                                                               
                    {sockets_used,1}]},                                                                                                                                
 {processes,[{limit,1048576},{used,124}]},                                                                                                                             
 {run_queue,0},                                                                                                                                                        
 {uptime,44}]


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 8 William Kenney 2015-06-01 17:06:06 CEST
Is this sufficient testing for this?
Comment 9 William Kenney 2015-06-01 17:21:31 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
rabbitmq-server

default install of rabbitmq-server

[root@localhost wilcal]# urpmi rabbitmq-server
Package rabbitmq-server-3.1.5-3.mga4.noarch is already installed

[root@localhost wilcal]# service rabbitmq-server start
Starting rabbitmq-server: SUCCESS
rabbitmq-server.

[root@localhost wilcal]# service rabbitmq-server status
Status of node rabbit@localhost ...
[{pid,3881},
 {running_applications,[{rabbit,"RabbitMQ","3.1.5"},
                        {mnesia,"MNESIA  CXC 138 12","4.10"},
                        {os_mon,"CPO  CXC 138 46","2.2.13"},
                        {xmerl,"XML parser","1.3.4"},
                        {sasl,"SASL  CXC 138 11","2.3.3"},
                        {stdlib,"ERTS  CXC 138 10","1.19.3"},
                        {kernel,"ERTS  CXC 138 10","2.16.3"}]},
 {os,{unix,linux}},
 {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
 {memory,[{total,35450816},
          {connection_procs,2800},
          {queue_procs,5600},
          {plugins,0},
          {other_proc,13504864},
          {mnesia,60496},
          {mgmt_db,0},
          {msg_index,22392},
          {other_ets,729672},
          {binary,8568},
          {code,16474078},
          {atom,594537},
          {other_system,4047809}]},
 {vm_memory_high_watermark,0.4},
 {vm_memory_limit,1658994688},
 {disk_free_limit,1000000000},
 {disk_free,2540666880},
 {file_descriptors,[{total_limit,924},
                    {total_used,3},
                    {sockets_limit,829},
                    {sockets_used,1}]},                                                                                                          
 {processes,[{limit,1048576},{used,123}]},                                                                                                       
 {run_queue,0},                                                                                                                                  
 {uptime,11}]                                                                                                                                    
...done.

install rabbitmq-server from updates_testing

[root@localhost wilcal]# urpmi rabbitmq-server
Package rabbitmq-server-3.5.3-1.mga4.noarch is already installed

[root@localhost wilcal]# service rabbitmq-server start
Starting rabbitmq-server (via systemctl):   [  OK  ]

[root@localhost wilcal]# service rabbitmq-server status
Status of node rabbit@localhost ...
[{pid,1404},
 {running_applications,[{rabbit,"RabbitMQ","3.5.3"},
                        {mnesia,"MNESIA  CXC 138 12","4.10"},
                        {os_mon,"CPO  CXC 138 46","2.2.13"},
                        {xmerl,"XML parser","1.3.4"},
                        {sasl,"SASL  CXC 138 11","2.3.3"},
                        {stdlib,"ERTS  CXC 138 10","1.19.3"},
                        {kernel,"ERTS  CXC 138 10","2.16.3"}]},
 {os,{unix,linux}},
 {erlang_version,"Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
 {memory,[{total,35479304},
          {connection_readers,0},
          {connection_writers,0},
          {connection_channels,0},
          {connection_other,2800},
          {queue_procs,2800},
          {queue_slave_procs,0},
          {plugins,0},
          {other_proc,13299400},
          {mnesia,60560},
          {mgmt_db,0},
          {msg_index,37392},
          {other_ets,735824},
          {binary,13064},
          {code,16665573},
          {atom,602729},
          {other_system,4059162}]},
 {alarms,[]},
 {listeners,[{clustering,25672,"::"},{amqp,5672,"::"}]},
 {vm_memory_high_watermark,0.4},
 {vm_memory_limit,1658994688},
 {disk_free_limit,50000000},                                                                                                                     
 {disk_free,2534621184},                                                                                                                         
 {file_descriptors,[{total_limit,924},                                                                                                           
                    {total_used,3},                                                                                                              
                    {sockets_limit,829},                                                                                                         
                    {sockets_used,1}]},                                                                                                          
 {processes,[{limit,1048576},{used,124}]},                                                                                                       
 {run_queue,0},                                                                                                                                  
 {uptime,72}]
Comment 10 William Kenney 2015-06-04 21:33:16 CEST
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 11 claire robinson 2015-06-04 22:50:41 CEST
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 12 Mageia Robot 2015-06-08 23:18:40 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0240.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-06-09 18:54:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/647621/


Note You need to log in before you can comment on or make changes to this bug.