Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532766 (CVE-2014-9494) - <net-misc/rabbitmq-server-3.5.1: insufficient 'X-Forwarded-For' header validation
Summary: <net-misc/rabbitmq-server-3.5.1: insufficient 'X-Forwarded-For' header valida...
Status: RESOLVED FIXED
Alias: CVE-2014-9494
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-17 08:43 UTC by Agostino Sarubbo
Modified: 2016-12-02 08:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-17 08:43:40 UTC
From ${URL} :

In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that 
are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's 
management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the 
remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to 
RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that 
the attacker must know valid user credentials in order to connect to the broker.

Upstream patches:

http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

References:

https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-12-01 16:41:50 UTC
Fixed since v3.4.0:

$ hg log -r "c3c41177a11a:: and tag()"
changeset:   2370:5933c590f284
tag:         rabbitmq_v3_4_0
user:        Simon MacMullen <simon@rabbitmq.com>
date:        Tue Oct 21 14:20:42 2014 +0100
summary:     Gah, fix logout.

[...]


$ hg log -r "35e916df027d:: and tag()"
changeset:   2370:5933c590f284
tag:         rabbitmq_v3_4_0
user:        Simon MacMullen <simon@rabbitmq.com>
date:        Tue Oct 21 14:20:42 2014 +0100
summary:     Gah, fix logout.


First version which contains the fix and appeared in Gentoo repository was https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/rabbitmq-server/rabbitmq-server-3.5.1.ebuild?hideattic=0&view=log

Current stable version in tree is =net-misc/rabbitmq-server-3.6.5.


@ Maintainer(s): Please cleanup and remove at least <net-misc/rabbitmq-server-3.5.4. You maybe want to keep =net-misc/rabbitmq-server-3.2.4 which isn't affected by this vulnerability according to https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM but please see the other fixes which maybe are good reasons to push users to newer versions.


@ Security: Please vote!