Hi Emile, On 10/25/2013 04:13 PM, Emile Joubert wrote: > On 24/10/13 15:34, Thomas Goirand wrote: > >> I reported this to the maintainer, and to the security team a *very* >> long time ago, though it seems to be that nothing has been done to >> address this issue. > > Your suggestions have not been ignored, and we take feedback on security > issues very seriously.
It's good to read this! :) > Please bear in mind that v3.2.0 is the first feature release since June > 2013 when the discussion you refer to took place. Entry 24094 from the > release notes is the first step towards a solution: > http://www.rabbitmq.com/release-notes/README-3.2.0.txt > This will allow the broker to report authentication failures explicitly. > This is a feature that AMQP does not offer, so the protocol had to be > extended in a backwards-compatible way. > > Only now that the broker can reliably report authentication failures do > we plan to execute the next step, which is to remove the ability to log > in with a default account on a public interface in the default > configuration. (BTW this has nothing to do with IPv6 as suggested in the > bug title.) As much as I can see, there's no problem with IPv4 only (eg: RabbitMQ would not bind on the public interface by default). Am I wrong to say that the server only binds on the local public IPv6? If so, feel free to fix the title of the bug. > I'm sorry you feel disappointed that not enough progress has been made. > We are attempting to introduce this change to the default configuration > in a way that will cause as little disruption as possible. Since the > incidence of authentication failures is expected to rise dramatically it > was deemed necessary to improve their reporting before proceeding. Unfortunately, this public bug report has very little to do with the fact that there's "not enough progress". It has everything to do with the fact that I have discussed the issue publicly, and that I'm writing this on a publicly available documentation (eg: OpenStack), so I felt that this issue had to be available on the Debian BTS as well. I hope you understand that, and that you don't mind too much that I reported it this way. Cheers, Thomas Goirand -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
