Bug 5756

Summary:	[Package Request] rabbitmq-server
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Zombie Ryushu <zombie.ryushu>
Component:	Package Requests	Assignee:	ROSA Linux Bugs <bugs>
Status:	CONFIRMED ---	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal
Version:	Fresh
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Platform:	---	ROSA Vulnerability identifier:
RPM Package:	rabbitmq-server	ISO-related:
Bad POT generating:		Upstream:

Description Zombie Ryushu 2015-06-11 10:44:03 MSK

Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
(CVE-2014-9650).

In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
cluster (CVE-2015-0862).

Please import this from Mageia.