[ubuntu/resolute-proposed] rabbitmq-server 4.0.5-10ubuntu1 (Accepted)

Andreas Hasenack andreas.hasenack at canonical.com
Wed Jan 7 18:50:14 UTC 2026 

rabbitmq-server (4.0.5-10ubuntu1) resolute; urgency=medium

  * Merge with Debian unstable (LP: #2126011). Remaining changes:
    - d/rules: Enable rabbitmq-streams entrypoint.
    - d/p/rabbitmq-dist.mk.patch: Drop, no longer needed.
  * Dropped:
    - SECURITY UPDATE: authorization headers logged in plaintext (in base64)
      + debian/patches/CVE-2025-50200.patch: fix the exception logged by
        Cowboy caused by double reply in  src/rabbit_mgmt_util.erl,
        src/rabbit_mgmt_wm_exchange_publish.erl,
        src/rabbit_mgmt_wm_queue_actions.erl,
        src/rabbit_mgmt_wm_queue_get.erl.
      + CVE-2025-50200
      [In 4.0.5-9]

rabbitmq-server (4.0.5-10) unstable; urgency=medium

  * Removed python3-simplejson build-depends (Closes: #1093307).

rabbitmq-server (4.0.5-9) unstable; urgency=high

  * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
    authorization headers in plaintext encoded in base64. When querying
    RabbitMQ api with HTTP/s with basic authentication it creates logs with all
    headers in request, including authorization headers which show base64
    encoded username:password. This is easy to decode and afterwards could be
    used to obtain control to the system depending on credentials.
    Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
    (Closes: #1108075)

Date: Tue, 06 Jan 2026 14:51:20 -0300
Changed-By: Andreas Hasenack <andreas.hasenack at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/rabbitmq-server/4.0.5-10ubuntu1
-------------- next part --------------
Format: 1.8
Date: Tue, 06 Jan 2026 14:51:20 -0300
Source: rabbitmq-server
Built-For-Profiles: noudeb
Architecture: source
Version: 4.0.5-10ubuntu1
Distribution: resolute
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas.hasenack at canonical.com>
Closes: 1093307 1108075
Launchpad-Bugs-Fixed: 2126011
Changes:
 rabbitmq-server (4.0.5-10ubuntu1) resolute; urgency=medium
 .
   * Merge with Debian unstable (LP: #2126011). Remaining changes:
     - d/rules: Enable rabbitmq-streams entrypoint.
     - d/p/rabbitmq-dist.mk.patch: Drop, no longer needed.
   * Dropped:
     - SECURITY UPDATE: authorization headers logged in plaintext (in base64)
       + debian/patches/CVE-2025-50200.patch: fix the exception logged by
         Cowboy caused by double reply in  src/rabbit_mgmt_util.erl,
         src/rabbit_mgmt_wm_exchange_publish.erl,
         src/rabbit_mgmt_wm_queue_actions.erl,
         src/rabbit_mgmt_wm_queue_get.erl.
       + CVE-2025-50200
       [In 4.0.5-9]
 .
 rabbitmq-server (4.0.5-10) unstable; urgency=medium
 .
   * Removed python3-simplejson build-depends (Closes: #1093307).
 .
 rabbitmq-server (4.0.5-9) unstable; urgency=high
 .
   * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
     authorization headers in plaintext encoded in base64. When querying
     RabbitMQ api with HTTP/s with basic authentication it creates logs with all
     headers in request, including authorization headers which show base64
     encoded username:password. This is easy to decode and afterwards could be
     used to obtain control to the system depending on credentials.
     Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
     (Closes: #1108075)
Checksums-Sha1:
 60321e41cefbbb12b3a9da4e3d3e7540fe005138 2879 rabbitmq-server_4.0.5-10ubuntu1.dsc
 cdb97fbe36c17483e260899adafa84df29fb9520 37204 rabbitmq-server_4.0.5-10ubuntu1.debian.tar.xz
 9d65dacb64f58cf078586454c5ac64826de3b086 7495 rabbitmq-server_4.0.5-10ubuntu1_source.buildinfo
Checksums-Sha256:
 bce90fb2a732a5fe267ebbe47aa86945475e1385ff9293b9bf68036511c2deaf 2879 rabbitmq-server_4.0.5-10ubuntu1.dsc
 4b0f0f468188abdd886f4089d4cf6e1b035f33dcdd05579fb5189d5586b3968b 37204 rabbitmq-server_4.0.5-10ubuntu1.debian.tar.xz
 a2fd3d0805af0969815a7cdd8dded9f3b8104d94346c13b6182eb3ecf738374f 7495 rabbitmq-server_4.0.5-10ubuntu1_source.buildinfo
Files:
 7d47837ddee6566fcd5d0d5de5c85e4a 2879 net optional rabbitmq-server_4.0.5-10ubuntu1.dsc
 c06bd9212a484f31ac34c9adf2a55716 37204 net optional rabbitmq-server_4.0.5-10ubuntu1.debian.tar.xz
 52f7a63d6499716e9d9eec4b4176190e 7495 net optional rabbitmq-server_4.0.5-10ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenStack <team+openstack at tracker.debian.org>
Vcs-Git: https://git.launchpad.net/~ahasenack/ubuntu/+source/rabbitmq-server
Vcs-Git-Commit: 6d10a9c413e9f49f95423122505f280b52851530
Vcs-Git-Ref: refs/heads/resolute-rabbitmq-server-merge-1

More information about the Resolute-changes mailing list