Your message dated Wed, 02 Apr 2014 07:33:25 +0000 with message-id <e1wvffp-00040q...@franck.debian.org> and subject line Bug#727607: fixed in rabbitmq-server 3.2.4-1.1 has caused the Debian Bug report #727607, regarding RabbitMQ allows anyone to connect by default over IPv6 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 727607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727607 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: rabbitmq-server Version: 3.2.0-1 Severity: critical Hi, I reported this to the maintainer, and to the security team a *very* long time ago, though it seems to be that nothing has been done to address this issue. As I have already discuss this publicly, and that I am documenting it on the OpenStack doc, I think it is time to do this public bug report. By default, the RabbitMQ server package allows anyone to connect with the login guest, and password guest. Over IPv4, that's not a problem, since that's only possible through localhost. However, if a server is using IPv6, the rabbitmq-server binds on it, and it is reachable from the outside. I can only guess what type of consequences this means. From a bad security for those who uses the server in production, to a nasty DoS of the system itself through resource starvations (message flooding). I would strongly recommends that the rabbitqm-server package does the at least one of following (by order of preference, and one option not excluding another): 1/ Prompt for the default password change through debconf 2/ Do not bind on IPv6 by default (just only on ::1) 3/ Do not start if the default guest account has guest as password Cheers, Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---Source: rabbitmq-server Source-Version: 3.2.4-1.1 We believe that the bug you reported is fixed in the latest version of rabbitmq-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 727...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated rabbitmq-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 31 Mar 2014 06:11:46 +0000 Source: rabbitmq-server Binary: rabbitmq-server Architecture: source all Version: 3.2.4-1.1 Distribution: unstable Urgency: high Maintainer: RabbitMQ Team <packag...@rabbitmq.com> Changed-By: Thomas Goirand <z...@debian.org> Description: rabbitmq-server - AMQP server written in Erlang Closes: 727607 Changes: rabbitmq-server (3.2.4-1.1) unstable; urgency=high . * Non-maintainer upload. * Bind on 127.0.0.1 by default, to avoid listening on all ipv6 interface with guest/guest as default configured user. Note that this only fixes *new* installation, and that any already existing setup will have to edit the /etc/rabbitmq/rabbitmq-env.conf manually if affected. (Closes: #727607) * Removed useless and deprecated DM-Upload field. * Cleans plugins-src/rabbitmq-server to be able to build twice. Also cleans debian/postrm which is generated from debian/postrm.in and plugins/README. Checksums-Sha1: f7b3cd3bb033d31280635e4b9f4c028aeeab6dd5 1858 rabbitmq-server_3.2.4-1.1.dsc 02685c8a7ac0f1e5126f065f3d087c9543d76ada 26167 rabbitmq-server_3.2.4-1.1.diff.gz 2e1419c1871f2517d7a7adeae75d62f918b00645 3920150 rabbitmq-server_3.2.4-1.1_all.deb Checksums-Sha256: a6a4e16a9914226f8304d5cc6f7feda5522314a1d16271de4b03a2ffd939bff1 1858 rabbitmq-server_3.2.4-1.1.dsc 786d7e70b1219efccb98b45c40eef74c8e8e84d50efc0671272a447fd0f3aa8f 26167 rabbitmq-server_3.2.4-1.1.diff.gz 5650ac340c2eff70529175f4731ef7a2002d17c2cee750fc483d2013d6cc89b2 3920150 rabbitmq-server_3.2.4-1.1_all.deb Files: b9cce95d9505dcd034e159c2e58428fe 1858 net extra rabbitmq-server_3.2.4-1.1.dsc 355f4fccd99d0b73106b3e533863cc5b 26167 net extra rabbitmq-server_3.2.4-1.1.diff.gz a5f8fb6c6ee094c9956c7a5edeb31d3a 3920150 net extra rabbitmq-server_3.2.4-1.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJTORQMAAoJENQWrRWsa0P+ZRoP/2iCShBS4fma9a/r3ebjcW3n CeE9+vl8ufc7UkSP77COZfLyVn5PVhQMJsocT18S/7j/Y4fLiY59FBddk2xmAodl mXx8eFIFPWNDATW4/21DQDFzMIy0zYEM9hEk3kw87OzYbJfPA9xmsCEGpg1LvTPl BMsv5K7lbIJu/iKAKmlsZ8mriA6iKXsnAafNRbg4/4jnFoAbBqaenoGXRyAaWq2A KAk1HrrS1O2xliGxmeuH3v2seikxXeGN+Vf4meNfAZTKpTYOCOSePiruitaIxmC+ GF7+mUFDU1djeIh06dqnv/coHV8UeHcTTQsyYXkJBxRw1TBCDWPqN3gflC3uQNxF 0O2E8t7RG1rGM1qircC6IEYI0BmC8HbD8QVP2Ub++VCGWZ2d2Gfv0l+9NlEBRTwR VmWn5A9O0auUl3Xcsy6/9SvuJKuCN2ED+qJRsj21JH6/yUn7oZAk1Z7tDNUo8IB2 8IMlcNEDcgRf78dSZCG2WSJ18CPdvCUAHtZZAKDB0eKmo7sLfdP062euCiiHE7Jg Ncpuu9cz/sRZ2ADOR/cIHZsellvEpuMHbp2PTFt/8yYRVbP6yz0O3RFaN/XQsRlX R5yQD92K+jEqwRryNT10ZJjzugfdPVtboPC1sSHTa805jkWM/VPChvFUeAi56rjZ V/Le4eX0vHfMjRk4YKxl =uhl/ -----END PGP SIGNATURE-----
--- End Message ---
