| Summary: | <net-misc/rabbitmq-server-3.5.1: insufficient 'X-Forwarded-For' header validation | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ultrabug |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1174872 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Fixed since v3.4.0: $ hg log -r "c3c41177a11a:: and tag()" changeset: 2370:5933c590f284 tag: rabbitmq_v3_4_0 user: Simon MacMullen <simon@rabbitmq.com> date: Tue Oct 21 14:20:42 2014 +0100 summary: Gah, fix logout. [...] $ hg log -r "35e916df027d:: and tag()" changeset: 2370:5933c590f284 tag: rabbitmq_v3_4_0 user: Simon MacMullen <simon@rabbitmq.com> date: Tue Oct 21 14:20:42 2014 +0100 summary: Gah, fix logout. First version which contains the fix and appeared in Gentoo repository was https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/rabbitmq-server/rabbitmq-server-3.5.1.ebuild?hideattic=0&view=log Current stable version in tree is =net-misc/rabbitmq-server-3.6.5. @ Maintainer(s): Please cleanup and remove at least <net-misc/rabbitmq-server-3.5.4. You maybe want to keep =net-misc/rabbitmq-server-3.2.4 which isn't affected by this vulnerability according to https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM but please see the other fixes which maybe are good reasons to push users to newer versions. @ Security: Please vote! |
From ${URL} : In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that the attacker must know valid user credentials in order to connect to the broker. Upstream patches: http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d References: https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM http://www.rabbitmq.com/release-notes/README-3.4.0.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.