Your message dated Tue, 03 Jan 2017 09:50:05 +0000
with message-id <e1coljj-000hh0...@fasolo.debian.org>
and subject line Bug#849849: fixed in rabbitmq-server 3.6.6-1
has caused the Debian Bug report #849849,
regarding rabbitmq-server: CVE-2016-9877
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
849849: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 3.6.5-1
Severity: grave
Tags: upstream security
Justification: user security hole
Hi,
the following vulnerability was published for rabbitmq-server.
CVE-2016-9877[0]:
| An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
| before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
| 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
| connection authentication with a username/password pair succeeds if an
| existing username is provided but the password is omitted from the
| connection request. Connections that use TLS with a client-provided
| certificate are not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
[1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
[2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
Please adjust the affected versions in the BTS as needed. I was only
able to check the vulnerability sourcewise for 3.6.5 in unstable,
older version have not been checked so far.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 3.6.6-1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Kobližek <kobliz...@gmail.com> (supplier of updated rabbitmq-server
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Jan 2017 15:49:03 +0100
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source
Version: 3.6.6-1
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Ondřej Kobližek <kobliz...@gmail.com>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 849849
Changes:
rabbitmq-server (3.6.6-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* Team upload.
* New upstream release (Closes: #849849, CVE-2016-9877)
* d/copyright: Fixed for new release
* d/ocf: Removed, use upstream one
Checksums-Sha1:
ef9ba3a151c5eb4a6fd5cf0b5aef987f49bb1be3 2199 rabbitmq-server_3.6.6-1.dsc
fc6dbb566981e7810c14fe04521bed2acc3f85ca 2471724
rabbitmq-server_3.6.6.orig.tar.xz
357a29ac1d066a73551024b50dc329af3cea8409 16640
rabbitmq-server_3.6.6-1.debian.tar.xz
Checksums-Sha256:
c944d1cc53d5c18b6518057bc830e71ef53dcbfddd9f7340a71fed3ae8a1987d 2199
rabbitmq-server_3.6.6-1.dsc
395689bcf57fd48aed452fcd43ff9a992de40067d3ea5c44e14680d69db7b78e 2471724
rabbitmq-server_3.6.6.orig.tar.xz
15eed57ad4fa55a54e2e89a1d298cae958c22ef718752794c0993366566e3a76 16640
rabbitmq-server_3.6.6-1.debian.tar.xz
Files:
a596792473d95713416f746eee10acf9 2199 net extra rabbitmq-server_3.6.6-1.dsc
138e334d3b5565aa4bce2a1e5b3a913c 2471724 net extra
rabbitmq-server_3.6.6.orig.tar.xz
be407a291e60b38e3a1b0662991fa182 16640 net extra
rabbitmq-server_3.6.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAlhrcL0ACgkQNXMSVZ0e
BkssVA//VIjBzDuHVQnM9L7b6CTvepXrBbw3UufsoHhGz9FzBOrQL9pooMWayc3+
AW+05wPpnz9zoMjXnOGau5Fg8/LlSecx8kd+gmn+Wn+XMeiEabIFmu/x+1BObs2c
V8yMrIrllhPraBf4+Wia+XV7s3n8yzwZvgkKGNwQTmiaNKL0GAlb3jFhm3CmKfFZ
PJTnZU8DE207Y8adDepfCl1P01MrirguPNu5hBBD9Lp8gEl7W/5NozBz//m4OjIB
f54TayhRNovpVyCXCMY6mJ5XAVm+7f3bLA8Azp9wTC3GnU0cFCIxtWx43Hdne6W4
SZBMcNfMiEQY3x5VSgHhP26fmSo5e6vP5Akzw/lXd6/bDmi2lvQLFlBunsIs6Rtu
Q5Zou02hVQ63F5za79SeEeDB+H88U36gzAs2MRTWJe9pq4shteO7isHNvWp9K6Y+
hklvdCfKlfWHTYmfEVt8q/k59FUiJ/l3ZXyo2EfkbGNMADGNxMK8JxiQ2XEJK+a0
5Te1bUalT48Qu6vQCuqjPBNOUiK890BHlkGy5893+Sf0ySKSlb3UTBDtx7Ttzjbg
RNyXl5p/WKKC9XQ7kSqEdOygKjV+p57ZTkrTpmudblhOFSL4pAFui5uDFAE5Aqse
IaKiJe0ENK9uTknyC1i+4CZtklDnuVr8vK/tmKscoWd76tJNr4I=
=EGbz
-----END PGP SIGNATURE-----
--- End Message ---
