Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 532766 (CVE-2014-9494)

Summary: <net-misc/rabbitmq-server-3.5.1: insufficient 'X-Forwarded-For' header validation
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ultrabug
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-12-17 08:43:40 UTC
From ${URL} :

In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that 
are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's 
management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the 
remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to 
RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that 
the attacker must know valid user credentials in order to connect to the broker.

Upstream patches:

http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

References:

https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 16:41:50 UTC
Fixed since v3.4.0:

$ hg log -r "c3c41177a11a:: and tag()"
changeset:   2370:5933c590f284
tag:         rabbitmq_v3_4_0
user:        Simon MacMullen <simon@rabbitmq.com>
date:        Tue Oct 21 14:20:42 2014 +0100
summary:     Gah, fix logout.

[...]


$ hg log -r "35e916df027d:: and tag()"
changeset:   2370:5933c590f284
tag:         rabbitmq_v3_4_0
user:        Simon MacMullen <simon@rabbitmq.com>
date:        Tue Oct 21 14:20:42 2014 +0100
summary:     Gah, fix logout.


First version which contains the fix and appeared in Gentoo repository was https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/rabbitmq-server/rabbitmq-server-3.5.1.ebuild?hideattic=0&view=log

Current stable version in tree is =net-misc/rabbitmq-server-3.6.5.


@ Maintainer(s): Please cleanup and remove at least <net-misc/rabbitmq-server-3.5.4. You maybe want to keep =net-misc/rabbitmq-server-3.2.4 which isn't affected by this vulnerability according to https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM but please see the other fixes which maybe are good reasons to push users to newer versions.


@ Security: Please vote!
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-12-02 08:56:23 UTC
Cleaned:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=981fa99007e401a4719802471de82d350af83bfa

GLSA Vote: No