Hello, the following is based on the publicly available information as present on / linked to from <https://security-tracker.debian.org/tracker/CVE-2023-35789>.
On Mon, Dec 09, 2024 at 03:20:03PM +0000, P Tamil Selvam wrote: > We are currently using Debian Bookworm 12.8 and have identified a > vulnerability issue with the librabbitmq package. Could you please > confirm if there is an ETA for a fix or update to address this in an > upcoming Bookworm release? By its very nature (cf. the detailed description as linked above), this vulnerability cannot be fixed with a drop-in replacement while keeping the current user interface: if credentials have been entered on the command line, they will remain visible to other local users on the same system unless special precautions are taken. For that reason I have refrained from backporting the upstream patch to Bookworm so far, because applying that patch would not fix those systems where people have already configured / keep using ampq tools in that way. Instead people would also need to individually fix their setups to use the new command line option that the upstream patch adds. Changing interfaces in a stable release needs to be done with great care. Given that this vulnerability is actually only of minor importance, there was no pressing need to do so. > Additionally, if there are any available workarounds or interim > solutions, kindly share those as well. First of all, for this vulnerability to actually take effect, you'd need to have a multi-user system running (i.e. a shared system without any compartmentalization and with the option to execute arbitrary commands) where people can actually view other people's process arguments (i.e. no "hidepid" or PID namespaces in containers or such in effect) and where the ampq tools are actually used (i.e. publishing and consuming messages using the AMQP client binaries as opposed to via some language bindings). This provides quite some angles for workarounds. HTH, Flo
signature.asc
Description: PGP signature
