Bug 797217 (CVE-2021-22116)

Summary:	<net-misc/rabbitmq-server-3.8.19: denial of service via crafted AMQP messages (CVE-2021-22116)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ultrabug
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://tanzu.vmware.com/security/cve-2021-22116
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	799416
Bug Blocks:

Description John Helmert III archtester

2021-06-20 22:40:40 UTC

CVE-2021-22116:

RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.


Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-18 17:56:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc357e6ce980ecef8c70a10cbb550654da494821

commit cc357e6ce980ecef8c70a10cbb550654da494821
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-07-18 17:53:49 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-07-18 17:56:39 +0000

    net-misc/rabbitmq-server: bump to version 3.8.19
    
    Bug: https://bugs.gentoo.org/797217
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/701252
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 +
 .../rabbitmq-server/rabbitmq-server-3.8.19.ebuild  | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:21:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:29:48 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:37:46 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:45:52 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:53:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:01:50 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:10:11 UTC

Package list is empty or all packages have requested keywords.

Comment 9 Larry the Git Cow gentoo-dev

2021-10-17 20:39:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e63630841fe7f2e7c049a42f6f22d88d8f7126e

commit 6e63630841fe7f2e7c049a42f6f22d88d8f7126e
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-10-17 16:37:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-10-17 20:36:31 +0000

    net-misc/rabbitmq-server: drop 3.8.14
    
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/797217
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 -
 .../rabbitmq-server/rabbitmq-server-3.8.14.ebuild  | 78 ----------------------
 2 files changed, 79 deletions(-)

Comment 10 Gabriel Linder 2022-06-14 10:04:03 UTC

See https://github.com/gentoo/gentoo/pull/25893 which bumps rabbitmq.

Comment 11 John Helmert III archtester

2022-06-14 14:47:01 UTC

GLSA vote: no. All done!