Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799416 (CVE-2021-32718, CVE-2021-32719) - <net-misc/rabbitmq-server-3.8.19: multiple vulnerabilities (CVE-2021-{32718,32719})
Summary: <net-misc/rabbitmq-server-3.8.19: multiple vulnerabilities (CVE-2021-{32718,3...
Status: RESOLVED FIXED
Alias: CVE-2021-32718, CVE-2021-32719
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 805023
Blocks: CVE-2021-22116
  Show dependency tree
 
Reported: 2021-07-01 02:24 UTC by John Helmert III
Modified: 2022-06-14 14:47 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/rabbitmq-server-3.8.19-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 02:24:28 UTC
CVE-2021-32718 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper `<script>` tag sanitization, potentially allowing for JavaScript code execution in the context of the page. In order for this to occur, the user must be signed in and have elevated permissions (other user management). The vulnerability is patched in RabbitMQ 3.8.17. As a workaround, disable `rabbitmq_management` plugin and use CLI tools for management operations and Prometheus and Grafana for metrics and monitoring.

CVE-2021-32719 (https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x):

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.


Please bump to 3.8.18.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-18 17:56:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc357e6ce980ecef8c70a10cbb550654da494821

commit cc357e6ce980ecef8c70a10cbb550654da494821
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-07-18 17:53:49 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-07-18 17:56:39 +0000

    net-misc/rabbitmq-server: bump to version 3.8.19
    
    Bug: https://bugs.gentoo.org/797217
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/701252
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 +
 .../rabbitmq-server/rabbitmq-server-3.8.19.ebuild  | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2021-08-16 05:13:47 UTC
amd64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:07:37 UTC
x86 done

all arches done
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 17:45:42 UTC
Please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2021-10-17 20:39:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e63630841fe7f2e7c049a42f6f22d88d8f7126e

commit 6e63630841fe7f2e7c049a42f6f22d88d8f7126e
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-10-17 16:37:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-10-17 20:36:31 +0000

    net-misc/rabbitmq-server: drop 3.8.14
    
    Bug: https://bugs.gentoo.org/799416
    Bug: https://bugs.gentoo.org/797217
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  1 -
 .../rabbitmq-server/rabbitmq-server-3.8.14.ebuild  | 78 ----------------------
 2 files changed, 79 deletions(-)
Comment 6 Kobboi 2022-04-08 20:08:37 UTC
Finding this while looking for bump requests. What still needs to be done here?
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 13:55:13 UTC
(In reply to Kobboi from comment #6)
> Finding this while looking for bump requests. What still needs to be done
> here?

GLSA.
Comment 8 Gabriel Linder 2022-06-14 10:04:21 UTC
See https://github.com/gentoo/gentoo/pull/25893 which bumps rabbitmq.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-14 14:47:18 UTC
GLSA vote: no. All done!