Hi,
I've prepared the package here:
http://sid.gplhost.com/jessie-proposed-updates/rabbitmq-server/
Debdiff is attached (and also available from there). Please allow me to
upload.
Cheers,
Thomas Goirand (zigo)
diff -u rabbitmq-server-3.3.5/debian/changelog
rabbitmq-server-3.3.5/debian/changelog
--- rabbitmq-server-3.3.5/debian/changelog
+++ rabbitmq-server-3.3.5/debian/changelog
@@ -1,3 +1,9 @@
+rabbitmq-server (3.3.5-1.1+deb8u1) jessie-security; urgency=medium
+
+ * CVE-2016-9877: apply backported upstream patch (Closes: #849849).
+
+ -- Thomas Goirand <z...@debian.org> Wed, 11 Jan 2017 02:17:32 +0100
+
rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium
* Non-maintainer upload.
only in patch2:
unchanged:
--- rabbitmq-server-3.3.5.orig/debian/gbp.conf
+++ rabbitmq-server-3.3.5/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = jessie
+pristine-tar = True
only in patch2:
unchanged:
--- rabbitmq-server-3.3.5.orig/debian/patches/CVE-2016-9877_Auth_issue_fix.patch
+++ rabbitmq-server-3.3.5/debian/patches/CVE-2016-9877_Auth_issue_fix.patch
@@ -0,0 +1,101 @@
+From 157948d86d391a325ac9702f78976c175ced58be Mon Sep 17 00:00:00 2001
+From: Daniil Fedotov <dfedo...@pivotal.io>
+Date: Mon, 5 Sep 2016 12:33:49 +0100
+Subject: [PATCH] Auth issue fix 039a3c22e57bf77b325d19494a9b20cd745f1ea7
+ backport
+ .
+ Backported to Debian Jessie's 3.3.5-1.1 by Balint Reczey as part of the
+ LTS work.
+
+---
+ src/rabbit_mqtt_processor.erl | 63 ++++++++++++++-------------
+ test/Makefile | 2 +-
+ test/src/com/rabbitmq/mqtt/test/MqttTest.java | 12 +++++
+ 3 files changed, 45 insertions(+), 32 deletions(-)
+
+--- a/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl
++++ b/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl
+@@ -75,7 +75,13 @@
+ _ ->
+ case creds(Username, Password) of
+ nocreds ->
+- rabbit_log:error("MQTT login failed - no
credentials~n"),
++ rabbit_log:error("MQTT login failed: no credentials
provided~n"),
++ {?CONNACK_CREDENTIALS, PState};
++ {invalid_creds, {undefined, Pass}} when is_list(Pass) ->
++ rabbit_log:error("MQTT login failed: no user username
is provided"),
++ {?CONNACK_CREDENTIALS, PState};
++ {invalid_creds, {User, undefined}} when is_list(User) ->
++ rabbit_log:error("MQTT login failed for ~p: no
password provided", [User]),
+ {?CONNACK_CREDENTIALS, PState};
+ {UserBin, PassBin} ->
+ case process_login(UserBin, PassBin, ProtoVersion,
PState) of
+@@ -370,20 +376,25 @@
+ DefaultUser = rabbit_mqtt_util:env(default_user),
+ DefaultPass = rabbit_mqtt_util:env(default_pass),
+ Anon = rabbit_mqtt_util:env(allow_anonymous),
+- U = case {User =/= undefined, is_binary(DefaultUser), Anon =:= true} of
+- {true, _, _ } -> list_to_binary(User);
+- {false, true, true} -> DefaultUser;
+- _ -> nocreds
+- end,
+- case U of
+- nocreds ->
+- nocreds;
+- _ ->
+- case {Pass =/= undefined, is_binary(DefaultPass), Anon =:= true}
of
+- {true, _, _ } -> {U, list_to_binary(Pass)};
+- {false, true, true} -> {U, DefaultPass};
+- _ -> {U, none}
+- end
++ HaveDefaultCreds = Anon =:= true andalso
++ is_binary(DefaultUser) andalso
++ is_binary(DefaultPass),
++
++ CredentialsProvided = User =/= undefined orelse
++ Pass =/= undefined,
++
++ CorrectCredentials = is_list(User) andalso
++ is_list(Pass),
++
++ case {CredentialsProvided, CorrectCredentials, HaveDefaultCreds} of
++ %% Username and password take priority
++ {true, true, _} -> {list_to_binary(User),
++ list_to_binary(Pass)};
++ %% Either username or password is provided
++ {true, false, _} -> {invalid_creds, {User, Pass}};
++ %% Anonymous connection uses default credentials
++ {false, false, true} -> {DefaultUser, DefaultPass};
++ _ -> nocreds
+ end.
+
+ supported_subs_qos(?QOS_0) -> ?QOS_0;
+--- a/plugins-src/rabbitmq-mqtt/test/Makefile
++++ b/plugins-src/rabbitmq-mqtt/test/Makefile
+@@ -1,4 +1,4 @@
+-UPSTREAM_GIT=https://git.eclipse.org/gitroot/paho/org.eclipse.paho.mqtt.java.git
++UPSTREAM_GIT=https://github.com/eclipse/paho.mqtt.java.git
+ REVISION=00b5b2f99ae8410b7d96d106e080a092c5f92546
+
+ JC=javac
+--- a/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java
++++ b/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java
+@@ -163,6 +163,18 @@
+ }
+ }
+
++ public void testEmptyPassword() throws MqttException {
++ MqttClient c = new MqttClient(brokerUrl, clientId, null);
++ MqttConnectOptions opts = new MyConnOpts();
++ opts.setUserName("guest");
++ opts.setPassword(null);
++ try {
++ c.connect(opts);
++ fail("Authentication failure expected");
++ } catch (MqttException ex) {
++
Assert.assertEquals(MqttException.REASON_CODE_FAILED_AUTHENTICATION,
ex.getReasonCode());
++ }
++ }
+
+ public void testSubscribeQos0() throws MqttException,
InterruptedException {
+ client.connect(conOpt);
only in patch2:
unchanged:
--- rabbitmq-server-3.3.5.orig/debian/patches/series
+++ rabbitmq-server-3.3.5/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-9877_Auth_issue_fix.patch
