Bug#1002956: Remote RCE in rabbitmq-server

Fri, 05 Aug 2022 01:57:13 -0700 

On 8/5/22 01:24, Tim Abbott wrote:
On Wed, Aug 3, 2022 at 12:22 AM Thomas Goirand <z...@debian.org <mailto:z...@debian.org>> wrote: 

    Hi Tim,

    Please don't top-post, we don't do that in Debian, and also:


Apologies!

    FYI, I'm sad too, but there's nothing I can do but pinging again the
    stable release team about this. You hear me well: the stable release
    team. Not the security team since they do not want to do a security
    announcement and an update through stable-security (so it shall be done
    through a point release, dealing with the stable release team).

    This means writing to 1002...@bugs.debian.org
    <mailto:1002...@bugs.debian.org>. That's the only email
    address that has influence on accepting the fixed version. Feel free to
    ping that email address until you get a reply. I agree that no reply
    since the 29th of Jan is sad...



I still don't understand why the determination was made to not do a 
security announcement for this bug, given that it makes a Debian system 
that installs this package vulnerable to remote RCE without manual 
intervention.



What was discussed with the security team, is that the most common 
practice is to never expose a RabbitMQ cluster to the internet. We 
believe most server administrator know it (at least, that's the point of 
view of the security team, but not necessarily mine...).



But given that determination was made, perhaps the best way I can 
contribute is by making sure this bug thread links to 
https://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq 
<https://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq>, 
which has a bunch of public context about the impact of this bug, as 
well as background explanation that may help release managers who don't 
know much about Erlang/RabbitMQ.



Convincing the stable release team that we must do an update by writing 
in this bug entry, is exactly what should be done, indeed.


Dear stable release team, can we have your opinion here?

Cheers,

Thomas Goirand (zigo)























					Reply via email to