Your message dated Wed, 13 Dec 2023 07:04:51 +0000 with message-id <e1rdjiz-009xcd...@fasolo.debian.org> and subject line Bug#1056723: fixed in rabbitmq-server 3.8.9-3+deb11u1 has caused the Debian Bug report #1056723, regarding rabbitmq-server: CVE-2023-46118 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1056723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056723 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rabbitmq-server Version: 3.10.8-2 Severity: important Tags: security upstream Forwarded: https://github.com/rabbitmq/rabbitmq-server/pull/9708 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for rabbitmq-server. CVE-2023-46118[0]: | RabbitMQ is a multi-protocol messaging and streaming broker. HTTP | API did not enforce an HTTP request body limit, making it vulnerable | for denial of service (DoS) attacks with very large messages. An | authenticated user with sufficient credentials can publish a very | large messages over the HTTP API and cause target node to be | terminated by an "out-of-memory killer"-like mechanism. This | vulnerability has been patched in versions 3.11.24 and 3.12.7. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46118 https://www.cve.org/CVERecord?id=CVE-2023-46118 [1] https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg [2] https://github.com/rabbitmq/rabbitmq-server/pull/9708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rabbitmq-server Source-Version: 3.8.9-3+deb11u1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of rabbitmq-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1056...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated rabbitmq-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 27 Nov 2023 09:21:56 +0100 Source: rabbitmq-server Architecture: source Version: 3.8.9-3+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1056723 Changes: rabbitmq-server (3.8.9-3+deb11u1) bullseye-security; urgency=medium . * CVE-2023-46118: Denial of Service by publishing large messages over the HTTP API. Applied upstream patches that introduce a limit of 10MB: - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch - Introduce_HTTP_request_body_limit_for_definition_uploads.patch (Closes: #1056723). Checksums-Sha1: 8079f2ea54548419a6883cbcc52c5eb88fe41410 2696 rabbitmq-server_3.8.9-3+deb11u1.dsc dc945062816536124f0c2d6ac32d15c61d0b2f2a 3074468 rabbitmq-server_3.8.9.orig.tar.xz cea2ca8c33db72c6fe2ddc3fd3d4b1b4ab79d841 24012 rabbitmq-server_3.8.9-3+deb11u1.debian.tar.xz 97146e1140a47b954eb35d05016ce05c05e37f85 8789 rabbitmq-server_3.8.9-3+deb11u1_amd64.buildinfo Checksums-Sha256: 01868179878a56c64c08ef930c5b52e587be486390481c7d40f05ab6b246aae8 2696 rabbitmq-server_3.8.9-3+deb11u1.dsc 1b4b764e2f1af29b464b3354f85d360fd505a1b10cb7155fc90816921315452c 3074468 rabbitmq-server_3.8.9.orig.tar.xz 0aa4eb763150e458df6e2cb51ab22bc3dd51e0193f9cac8e020476bafb13a5f4 24012 rabbitmq-server_3.8.9-3+deb11u1.debian.tar.xz 6b4445c57c8a2c587fb4b834105aae25f7811c3ccf7c1ef7ae759f85c4a3b6bd 8789 rabbitmq-server_3.8.9-3+deb11u1_amd64.buildinfo Files: d9c7f16e6248b7d939c968ba47c78330 2696 net optional rabbitmq-server_3.8.9-3+deb11u1.dsc 15ac61eb000efd9c76c11fd886dd8035 3074468 net optional rabbitmq-server_3.8.9.orig.tar.xz e80b2d92d560e86cb36c20622cb7ba23 24012 net optional rabbitmq-server_3.8.9-3+deb11u1.debian.tar.xz b03514a546c8129e840701802c88370b 8789 net optional rabbitmq-server_3.8.9-3+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmVoO/YACgkQ1BatFaxr Q/4JKw/+NWiD8SWGtRh9FXi28Q0DJyEsMaMkhRcQKng0GlclR8ikdbVh9mG6bHGx RDxjJj1+vB9OYntMlt6eK4KIldSLz/02uJzbsDamvAap3FaNWApm+FkePROguRB+ Ro7lQlc2p4Vosl3yJSU9emJGYlPVOFbdeYbm86r8/oTW2oMxa+cg6xNMBOtpBzET E2l64CRmJ8B7VohOpdfFr+0WiV2M8jMgIaT+8HBZuua+gsxv8aSPC0S5G/HM+Cqm KqbSc17Gve2q2sroGQ5ZSAspe2Ijjcpm1nBmRa/QSCla4EEKRJWwlhpbfolnIio9 Ti251n4kf3quNsaQ19Pm4n1biYTj93mLkMU0+o0fVkgKgwhEkWsKVnc04jLV9pSt +SUuBoLtTVre8zmYUfyVO31SkX2jey72dXxLPD8tRAWHEnh1wrfhuMmDNUYW89k9 0SydYEi4jh3Y/4LbcKRSb9nUMgYU0Dhz1J6zr89aYq6pa19p4XBmYrFs18wKOHVu cDifSc/Ad19XGmWZxq2QUjkWfUVSS/q+XvrkuC4jAuCAYb48vGpl2e9G8B5KtqUw doh0k8tMyGn9INV1BhmD0rknI1/mmR/Nmr5hoUswFsaqMR6s6wYWiH6orHyc+x3q in1vTXAcftu8YRkSkinQlJtL0KuVJFFCTNYdqnjbqI0yMIZwMu0= =Dk6l -----END PGP SIGNATURE-----
--- End Message ---
