Hi Emile,
I'm sorry, but we have here a sever security issue, which needs to be
addressed in both Wheezy and Testing/Sid, and ASAP. I don't think you
realized the seriousness of this issue.
I don't think waiting again and again for a potential version 3.3 to
maybe fix the issue in probably some months, is the way to go. This bug
has been opened on the 24th of October, we're now the 31st of March.
That's been already 5 months. And I've warn you about this issue months
before reporting this publicly. That's half a year with a severe public
access hole in your package. To me it doesn't look like you are taking
this problem seriously enough.
Therefore, I have NMU the package.
In my change, if there's no /etc/rabbitmq/rabbitmq-env.conf *AND* if the
package isn't upgrading (eg: this is the first install), then the
postinst script will add RABBITMQ_NODE_IP_ADDRESS=127.0.0.1 in that
file. The only relevant part of the debdiff is:
case "$1" in
configure)
[ ... some stuff ... ]
+ if [ -z "${2}" ] ; then
+ if ! [ -e /etc/rabbitmq/rabbitmq-env.conf ] ; then
+ if ! [ -d /etc/rabbitmq ] ; then
+ mkdir -p /etc/rabbitmq
+ fi
+ echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1"
>/etc/rabbitmq/rabbitmq-env.conf
+ fi
+ fi
I also took the liberty to remove the DM-Upload-Allowed field which has
been deprecated for more than a year now, and which you are leaving in
your package on consecutive upload. Are you even using lintian?!?
Also, some files which shouldn't, appeared in the debdiff, so I've added
them in a clean:: target in your debian/rules. I'd suggest you switch to
source format 3.0 (quilt) to avoid these in the future.
This is the most conservative approach, which doesn't fix already
installed servers. I would strongly recommend that you later on also
address previously installed server. Also, I would have liked to bind on
::1 by default, but I dind't find out how (eg: 127.0.0.1,::1 in the file
didn't work).
Attached to this message, you will find a debdiff of my changes. If you
find it not good enough, you have 2 days to react (as I uploaded to the
DELAYED/2-day queue), and I can either cancel the upload during this
period, or sponsor anything better that you may provide. Note that I'd
be very happy to help in any way possible.
Also, I would suggest a number of improvements in your package:
- switch away from CDBS to debhelper, as this is the most know helper
- change debian/copyright to parseable format 1.0
- switch to format "3.0 (quilt)" for your packaging
- use Git packaging, store that on Alioth, and add VCS fields
- run "wrap-and-sort" to have your (build-)dependencies written in a
better way
- clean all these lintian warnings and errors (LOTS of them...)
- Add a Homepage field
- Bump Standards-Version (after checking it's conform to the latest
Debian Policy Manual revision)
Last, some lintian output are very worrisome:
P: rabbitmq-server source: source-contains-prebuilt-java-object
plugins-src/rabbitmq-mqtt/lib/junit.jar
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-jsonrpc-channel/priv/www/jquery-1.3.2.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-jsonrpc-channel/priv/www/jquery-1.3.2.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/ejs.js mean line length is
about 12881 characters
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/ejs.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/excanvas.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/excanvas.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/jquery-1.6.4.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/jquery-1.6.4.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/jquery.flot.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/jquery.flot.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/jquery.flot.time.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/jquery.flot.time.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management/priv/www/js/sammy-0.6.0.min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management/priv/www/js/sammy-0.6.0.min.js
P: rabbitmq-server source: source-contains-prebuilt-javascript-object
plugins-src/rabbitmq-management-visualiser/priv/www/visualiser/js/glMatrix-min.js
E: rabbitmq-server source: source-is-missing
plugins-src/rabbitmq-management-visualiser/priv/www/visualiser/js/glMatrix-min.js
I: rabbitmq-server: package-contains-empty-directory usr/lib/erlang/lib/
The above *MUST* be addressed (and no, waiting another 6 months for
fixing that isn't an option, as you may risk to have your package
removed from Debian as it has sourceless files).
I would also strongly advise that you use the system's jquery library
rather than any random version shipped with your source code (though I'm
not sure if your package really is using these embedded versions, but if
they do, that's very bad security wise).
I hope the above helps. I'm available if you need help or anything.
Cheers,
Thomas Goirand (zigo)
diff -u rabbitmq-server-3.2.4/debian/changelog
rabbitmq-server-3.2.4/debian/changelog
--- rabbitmq-server-3.2.4/debian/changelog
+++ rabbitmq-server-3.2.4/debian/changelog
@@ -1,3 +1,16 @@
+rabbitmq-server (3.2.4-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Bind on 127.0.0.1 by default, to avoid listening on all ipv6 interface with
+ guest/guest as default configured user. Note that this only fixes *new*
+ installation, and that any already existing setup will have to edit the
+ /etc/rabbitmq/rabbitmq-env.conf manually if affected. (Closes: #727607)
+ * Removed useless and deprecated DM-Upload field.
+ * Cleans plugins-src/rabbitmq-server to be able to build twice. Also cleans
+ debian/postrm which is generated from debian/postrm.in and plugins/README.
+
+ -- Thomas Goirand <z...@debian.org> Mon, 31 Mar 2014 06:11:46 +0000
+
rabbitmq-server (3.2.4-1) unstable; urgency=low
* New upstream release
diff -u rabbitmq-server-3.2.4/debian/postinst
rabbitmq-server-3.2.4/debian/postinst
--- rabbitmq-server-3.2.4/debian/postinst
+++ rabbitmq-server-3.2.4/debian/postinst
@@ -39,6 +39,14 @@
[ ! -f /etc/rabbitmq/rabbitmq-env.conf ]; then
mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf
fi
+ if [ -z "${2}" ] ; then
+ if ! [ -e /etc/rabbitmq/rabbitmq-env.conf ] ; then
+ if ! [ -d /etc/rabbitmq ] ; then
+ mkdir -p /etc/rabbitmq
+ fi
+ echo "RABBITMQ_NODE_IP_ADDRESS=127.0.0.1"
>/etc/rabbitmq/rabbitmq-env.conf
+ fi
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff -u rabbitmq-server-3.2.4/debian/rules rabbitmq-server-3.2.4/debian/rules
--- rabbitmq-server-3.2.4/debian/rules
+++ rabbitmq-server-3.2.4/debian/rules
@@ -22,0 +23,3 @@
+
+clean::
+ rm -f plugins-src/rabbitmq-server debian/postrm plugins/README
diff -u rabbitmq-server-3.2.4/debian/control
rabbitmq-server-3.2.4/debian/control
--- rabbitmq-server-3.2.4/debian/control
+++ rabbitmq-server-3.2.4/debian/control
@@ -3,7 +3,6 @@
Priority: extra
Maintainer: RabbitMQ Team <packag...@rabbitmq.com>
Uploaders: Emile Joubert <em...@rabbitmq.com>
-DM-Upload-Allowed: yes
Build-Depends: cdbs, debhelper (>= 5), erlang-dev, python-simplejson, xmlto,
xsltproc, erlang-nox (>= 1:13.b.3), erlang-src (>= 1:13.b.3), unzip, zip
Standards-Version: 3.9.2
