Your message dated Sun, 15 Jan 2017 23:02:55 +0000
with message-id <e1cstp9-000ezs...@fasolo.debian.org>
and subject line Bug#849849: fixed in rabbitmq-server 3.3.5-1.1+deb8u1
has caused the Debian Bug report #849849,
regarding rabbitmq-server: CVE-2016-9877
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
849849: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 3.6.5-1
Severity: grave
Tags: upstream security
Justification: user security hole
Hi,
the following vulnerability was published for rabbitmq-server.
CVE-2016-9877[0]:
| An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
| before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
| 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
| connection authentication with a username/password pair succeeds if an
| existing username is provided but the password is omitted from the
| connection request. Connections that use TLS with a client-provided
| certificate are not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
[1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
[2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
Please adjust the affected versions in the BTS as needed. I was only
able to check the vulnerability sourcewise for 3.6.5 in unstable,
older version have not been checked so far.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 3.3.5-1.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Jan 2017 02:17:32 +0100
Source: rabbitmq-server
Binary: rabbitmq-server
Architecture: source all
Version: 3.3.5-1.1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: RabbitMQ Team <packag...@rabbitmq.com>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
rabbitmq-server - AMQP server written in Erlang
Closes: 849849
Changes:
rabbitmq-server (3.3.5-1.1+deb8u1) jessie-security; urgency=medium
.
* CVE-2016-9877: apply backported upstream patch (Closes: #849849).
Checksums-Sha1:
bb6ba8064f84de074a3a5b4e7fa0bad6e2b4083f 1893
rabbitmq-server_3.3.5-1.1+deb8u1.dsc
f945dd837ce637677b2d80b6fe14ef665233731d 3648221
rabbitmq-server_3.3.5.orig.tar.gz
01aa51850b772519e041c3ff49d774d25a9fb024 28801
rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
dbf7b2c3bf9e16ae6149ad4b9370985149b56d06 4118512
rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
Checksums-Sha256:
1dd6224ca08aeb7f120ecd01725221fa181312b17e3e749bea36a6a4814cfc1a 1893
rabbitmq-server_3.3.5-1.1+deb8u1.dsc
7a6bf8af684b2087a1c534ffcd2db1b7c15b137a38bb9f00dfdf0227f69d70c2 3648221
rabbitmq-server_3.3.5.orig.tar.gz
4978240807984e2d03194168d954463f34395124a571c6ed58f2c1676928c078 28801
rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
2c8e448754603787195aa05b80c3c4149768310182cccfcb82b460db7bc7ad0f 4118512
rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
Files:
dfbaf4ea247eafe3a6675527d01ffe6d 1893 net extra
rabbitmq-server_3.3.5-1.1+deb8u1.dsc
3bf0c4be1aaa6fdb483470aba14a6c81 3648221 net extra
rabbitmq-server_3.3.5.orig.tar.gz
f4e9b1687b8ae8a55253415ef1a70083 28801 net extra
rabbitmq-server_3.3.5-1.1+deb8u1.diff.gz
4f60376adf694ace8772f2eefe0b21bc 4118512 net extra
rabbitmq-server_3.3.5-1.1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYdYx9AAoJENQWrRWsa0P+yd4QAJwqQZflz4+nyn+Yx2l6jBSM
ZA1aOYia0ud06WWgMHDvRSLGDGSSd9fyRD5Nquj6dxtqjD3QDey4f8c4Y+GPvSZR
SQatrYrpojEHsCJCfXdis+YZIy8WvfzgutFlGYA7ui/QmU5hJv9H8PjmcT1U+1Nj
mYX0E1mPBn0eJlNud2wtX2gdyHiTbYMrVaGXmHWTGLy1dTFe76U/e4Wzi3/zf4sD
gN16mbsyqpYoTt2wEpdrjzKWL/8zdM3COJfW1mt3vggx/oeXSDPXV86KE4ZEesvU
7a4SvIBl1ktkBHZGj547CTm43jFKK+z+6JFT2hMcwqKSg/AsiDtaEOPQjdPnbzwC
8sFLLjt3pKhgQsPAgerqWfte5mb8465YXBPN6Rpu5wqech3IOnFpqiERqmKmF/He
FzMy7H7xRZl/E/dzdUwVImDGVqTGaADSoJ1MjwtFBwHsPrneLToN9xyetQA9vgBn
yUYVj4ZYp68HbbBNy/p9omSxTQTPBEkCqYXKwU4Rsrd5BZb7/uhWsxohVUqQLdZ6
rkilpeZ+5WbP/+b0WO1ko7u71/q5rvcYX1y4pHsIbZd/0ZdxUyClOPbO/9YvspKp
Wh6sHNx2cpjld8o+zfykXBjvynuU26z+am3kmUHrT6I8pUhir2vyS/uyQIMdCVcD
G4D8dwmTkTfZEOo16jmm
=lHa6
-----END PGP SIGNATURE-----
--- End Message ---
