ROSA Linux Bugzilla – Bug 5756
[Package Request] rabbitmq-server
Last modified: 2015-06-11 10:44:03 MSD
Updated rabbitmq-server package fixes security vulnerabilities:
RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).
RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
Please import this from Mageia.