CVE-2023-35789: An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. Patch: https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2386f8510c14ce4692881c280dbf4491a5bb6528 commit 2386f8510c14ce4692881c280dbf4491a5bb6528 Author: git-bruh <e817509a-8ee9-4332-b0ad-3a6bdf9ab63f@aleeas.com> AuthorDate: 2023-10-08 13:37:13 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-01-11 13:51:36 +0000 net-libs/rabbitmq-c: add 0.13.0 Bug: https://bugs.gentoo.org/908818 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-libs/rabbitmq-c/Manifest | 1 + ...bitmq-c-0.13.0-read-credentials-from-file.patch | 127 +++++++++++++++++++++ net-libs/rabbitmq-c/rabbitmq-c-0.13.0.ebuild | 55 +++++++++ 3 files changed, 183 insertions(+)
Thanks!
