Package: rabbitmq-server Version: 3.2.0-1 Severity: critical Hi,
I reported this to the maintainer, and to the security team a *very* long time ago, though it seems to be that nothing has been done to address this issue. As I have already discuss this publicly, and that I am documenting it on the OpenStack doc, I think it is time to do this public bug report. By default, the RabbitMQ server package allows anyone to connect with the login guest, and password guest. Over IPv4, that's not a problem, since that's only possible through localhost. However, if a server is using IPv6, the rabbitmq-server binds on it, and it is reachable from the outside. I can only guess what type of consequences this means. From a bad security for those who uses the server in production, to a nasty DoS of the system itself through resource starvations (message flooding). I would strongly recommends that the rabbitqm-server package does the at least one of following (by order of preference, and one option not excluding another): 1/ Prompt for the default password change through debconf 2/ Do not bind on IPv6 by default (just only on ::1) 3/ Do not start if the default guest account has guest as password Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
