CVE-2021-32718 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772): RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring. CVE-2021-32719 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x): RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead. Please bump to 3.8.18.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc357e6ce980ecef8c70a10cbb550654da494821 commit cc357e6ce980ecef8c70a10cbb550654da494821 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-07-18 17:53:49 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-07-18 17:56:39 +0000 net-misc/rabbitmq-server: bump to version 3.8.19 Bug: https://bugs.gentoo.org/797217 Bug: https://bugs.gentoo.org/799416 Bug: https://bugs.gentoo.org/701252 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-misc/rabbitmq-server/Manifest | 1 + .../rabbitmq-server/rabbitmq-server-3.8.19.ebuild | 79 ++++++++++++++++++++++ 2 files changed, 80 insertions(+)
amd64 stable
x86 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e63630841fe7f2e7c049a42f6f22d88d8f7126e commit 6e63630841fe7f2e7c049a42f6f22d88d8f7126e Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-10-17 16:37:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-10-17 20:36:31 +0000 net-misc/rabbitmq-server: drop 3.8.14 Bug: https://bugs.gentoo.org/799416 Bug: https://bugs.gentoo.org/797217 Signed-off-by: John Helmert III <ajak@gentoo.org> net-misc/rabbitmq-server/Manifest | 1 - .../rabbitmq-server/rabbitmq-server-3.8.14.ebuild | 78 ---------------------- 2 files changed, 79 deletions(-)
Finding this while looking for bump requests. What still needs to be done here?
(In reply to Kobboi from comment #6) > Finding this while looking for bump requests. What still needs to be done > here? GLSA.
See https://github.com/gentoo/gentoo/pull/25893 which bumps rabbitmq.
GLSA vote: no. All done!