Bug 5756 - [Package Request] rabbitmq-server
: [Package Request] rabbitmq-server
Status: CONFIRMED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Package Requests
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-11 10:44 MSD by Zombie Ryushu
Modified: 2015-06-11 10:44 MSD (History)
0 users

See Also:
RPM Package: rabbitmq-server
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-06-11 10:44:03 MSD
Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
(CVE-2014-9650).

In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
cluster (CVE-2015-0862).

Please import this from Mageia.