[Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability
Nils Toedtmann
1706900 at bugs.launchpad.net
Thu Jul 27 17:07:07 UTC 2017
Please bump the importance to "High". This is a trivially and remotely
exploitable authentication bypass, and it's classified "Critical"
upstream, and "High" over at Debian.
This bug was raised and fixed upstream last year. Debian backported the
fix in January. Since when are you aware of it?
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
Status in RabbitMQ:
Fix Released
Status in rabbitmq-server package in Ubuntu:
Triaged
Bug description:
https://pivotal.io/security/cve-2016-9877
"MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is provided
but the password is omitted from the connection request. Connections
that use TLS with a client-provided certificate are not affected."
Affects RabbitMQ "3.x versions prior to 3.5.8"
Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
and according to its changelog, Pivotal's fix for CVE-2016-9877 has
not been included.
To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list