[Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Jul 27 18:38:55 UTC 2017
** Also affects: rabbitmq-server (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: rabbitmq-server (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: rabbitmq-server (Ubuntu)
Status: Triaged => Fix Released
** Changed in: rabbitmq-server (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: rabbitmq-server (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: rabbitmq-server (Ubuntu Trusty)
Importance: Undecided => High
** Changed in: rabbitmq-server (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: rabbitmq-server (Ubuntu Trusty)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: rabbitmq-server (Ubuntu Xenial)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
Status in RabbitMQ:
Fix Released
Status in rabbitmq-server package in Ubuntu:
Fix Released
Status in rabbitmq-server source package in Trusty:
Confirmed
Status in rabbitmq-server source package in Xenial:
Confirmed
Bug description:
https://pivotal.io/security/cve-2016-9877
"MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is provided
but the password is omitted from the connection request. Connections
that use TLS with a client-provided certificate are not affected."
Affects RabbitMQ "3.x versions prior to 3.5.8"
Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
and according to its changelog, Pivotal's fix for CVE-2016-9877 has
not been included.
To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list