Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 799416 (CVE-2021-32718, CVE-2021-32719)

Summary: <net-misc/rabbitmq-server-3.8.19: multiple vulnerabilities (CVE-2021-{32718,32719})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ultrabug
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
net-misc/rabbitmq-server-3.8.19-r1
 Runtime testing required: ---
Bug Depends on: 805023    
Bug Blocks: 797217    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 02:24:28 UTC 
CVE-2021-32718 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

CVE-2021-32719 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.


Please bump to 3.8.18.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-18 17:56:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc357e6ce980ecef8c70a10cbb550654da494821

commit cc357e6ce980ecef8c70a10cbb550654da494821
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-07-18 17:53:49 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-07-18 17:56:39 +0000

    net-misc/rabbitmq-server: bump to version 3.8.19
    
    Bug: https://bugs.gentoo.org/797217
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/701252
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 +
 .../rabbitmq-server/rabbitmq-server-3.8.19.ebuild  | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2021-08-16 05:13:47 UTC 
amd64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:07:37 UTC 
x86 done

all arches done
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 17:45:42 UTC 
Please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2021-10-17 20:39:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e63630841fe7f2e7c049a42f6f22d88d8f7126e

commit 6e63630841fe7f2e7c049a42f6f22d88d8f7126e
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-10-17 16:37:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-10-17 20:36:31 +0000

    net-misc/rabbitmq-server: drop 3.8.14
    
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/797217
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 -
 .../rabbitmq-server/rabbitmq-server-3.8.14.ebuild  | 78 ----------------------
 2 files changed, 79 deletions(-)
Comment 6 Kobboi 2022-04-08 20:08:37 UTC 
Finding this while looking for bump requests. What still needs to be done here?
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 13:55:13 UTC 
(In reply to Kobboi from comment #6)
> Finding this while looking for bump requests. What still needs to be done
> here?

GLSA.
Comment 8 Gabriel Linder 2022-06-14 10:04:21 UTC 
See https://github.com/gentoo/gentoo/pull/25893 which bumps rabbitmq.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-14 14:47:18 UTC 
GLSA vote: no. All done!