Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616272 (CVE-2016-9877, CVE-2017-4965, CVE-2017-4966, CVE-2017-4967)

Summary: <net-misc/rabbitmq-server-3.6.9: multiple vulnerabilities
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ultrabug
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.rabbitmq.com/news.html#2017-03-29T18:00:00+03:00
Whiteboard: B4 [noglsa cve]
Package list:
net-misc/rabbitmq-server-3.6.9
Runtime testing required: No

Description Jeroen Roovers (RETIRED) gentoo-dev 2017-04-22 09:03:57 UTC
Version 3.6.9 fixed these:

CVE-2017-4965: XSS vulnerabilities in management UI
CVE-2017-4966: authentication details are stored in browser-local storage without expiration
CVE-2017-4967: XSS vulnerabilities in management UI

Version 3.6.6 fixed this one:

This release contains a security vulnerability (CVE-2016-9877) fix in the MQTT plugin and bug fixes.

Version 3.6.5 is stable on AMD64 and x86.
Comment 1 Ultrabug gentoo-dev 2017-05-30 13:04:52 UTC
Please stabilize =net-misc/rabbitmq-server-3.6.9 so I can tree clean previous versions.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-08 23:24:43 UTC
@ Arches,

please test and mark stable: =net-misc/rabbitmq-server-3.6.9
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-10-01 01:08:53 UTC
x86 stable
Comment 4 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-10-20 14:37:09 UTC
Stable on amd64
Comment 5 D'juan McDonald (domhnall) 2017-11-04 18:54:54 UTC
@maintainer(s), please proceed to cleanup

@security, please vote on GLSA.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-04 19:21:52 UTC
GLSA Vote: No
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 20:34:21 UTC
Please clean the vulnerable.
Comment 8 Ultrabug gentoo-dev 2017-12-22 09:31:58 UTC
3.6.9 cleaned from tree
Comment 9 Ultrabug gentoo-dev 2017-12-22 09:37:36 UTC
(In reply to Ultrabug from comment #8)
> 3.6.9 cleaned from tree

sorry, meant 3.6.5
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-19 13:58:27 UTC
Tree is clean