Your message dated Wed, 17 Dec 2014 06:18:50 +0000
with message-id <e1y17wg-0007dp...@franck.debian.org>
and subject line Bug#773134: fixed in rabbitmq-server 3.3.5-1.1
has caused the Debian Bug report #773134,
regarding rabbitmq_management incorrectly trusts 'X-Forwarded-For' header
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
773134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rabbitmq-server
Version: 3.3.5-1
Severity: serious
RabbitMQ 3.3.0 introduced a mechanism (the 'loopback_users'
configuration item) allowing access for some users to be restricted to
only connect via localhost. By default the "guest" user is restricted in
this way.
Unfortunately, the HTTP framework used by the management plugin trusts
the easily-forged 'X-Forwarded-For' header when determining the remote
address. It is therefore possible to subvert this access control
mechanism for the HTTP API. Attackers would still need to know or guess
the username and password.
Above text was taken from:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 3.3.5-1.1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matt Kraai <kr...@debian.org> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 14 Dec 2014 14:51:41 -0800
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source all
Version: 3.3.5-1.1
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: RabbitMQ Team <packag...@rabbitmq.com>
Changed-By: Matt Kraai <kr...@debian.org>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 773134
Changes:
rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium
.
* Non-maintainer upload.
* Do not trust X-Forwarded-For (Closes: #773134).
Checksums-Sha1:
d03ffa588c26ca20b8d6b5a7317fbaf9e4d659b6 1865 rabbitmq-server_3.3.5-1.1.dsc
4f1bf7b95ad435a6a38e14b36a037771f48281c4 27178
rabbitmq-server_3.3.5-1.1.diff.gz
81c0652a96faecadecbd1da84082caf30ec346f1 4117742
rabbitmq-server_3.3.5-1.1_all.deb
Checksums-Sha256:
d2abfa0e0cc12e113ad2e1a3b7daf89638a621a88127b05308e84745c8ee0998 1865
rabbitmq-server_3.3.5-1.1.dsc
809865204864aec5f668e30182314d9ab3ac43e2b67230ed4b7499ee212860be 27178
rabbitmq-server_3.3.5-1.1.diff.gz
610add757ccf5de185599ae887f7fc3df413c6e57528e6606df4732a170bf2d0 4117742
rabbitmq-server_3.3.5-1.1_all.deb
Files:
c9791ff7c95471819ea6f85d43824855 1865 net extra rabbitmq-server_3.3.5-1.1.dsc
f4ef977e808bb2d165f9e27172a7241e 27178 net extra
rabbitmq-server_3.3.5-1.1.diff.gz
8bf31e1f9a9f52f3715f338444a7ffa6 4117742 net extra
rabbitmq-server_3.3.5-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUkR7lAAoJEB6TENmtzmBlq4QP/0LBIIinFPfyWNV867LdoHBa
YGM2m4E2bCtDe0vEalqdfaVSHkXtSaafyzQiDXCGQkbXLmDDlSjqdh8kGkBbcH4X
fFfxXw4tY2e7wGc3dKIcGh7mOA1jMYhUQVCtis8nDrYx6OoWdcw0aXlFhQzwZ1tP
rhw9uhsXtRgmreTFbfuCGxN1kuTy+AK4pIWWGnqFgrT5N2SZF7juzjEPV/TVOoYA
O9acKjg4zksMyAKUmXrCNtaH5nIcBMeccXLqeB4gY5W0hMETJMP1thLFYeBM75Kc
v0PSJLa2+AAYv+2yw31cdKCZ5PxMhhbPSH/0ySRZ38lh3RmMzHc3shZnpDxsExyT
6k0f0KVoce8r3n5i+JFDqMbAHMwrX3fNhVWUB4zwZCdWEDfEXBXJEmOtDfIVBU+O
vicR356Ulo35NxGVnC7yeyZD5Z2kbmdrMqPDgkmMVtlB3xwFpKM3NVu/tihV7Xyq
MToAfYmBMxtDGifdkCvv3PWuZasxlcwFEIEzMdpOMsG7DrzMRwmSxymkDzSS+eVb
TsbAKlxbAF8+4TuMzpIsDWEWwXRhFrXomuiRV+8+1woMJF94vbkVv/uQi7mLQ5Lv
ZdnuY/Go7O6xAI7ChIsjptnazPoWYuEqgagLL8VBqdZXJFaog/TDOSMDL/mk/yat
GlXp9wYioQcMN4+j+Iyy
=i8zn
-----END PGP SIGNATURE-----
--- End Message ---
