From ${URL} : In RabbitMQ, the 'loopback_users' configuration directive allows to specify a list of users that are only permitted to connect to the broker via localhost. It was found that the RabbitMQ's management plug-in did not sufficiently validate the 'X-Forwarded-For' header when determining the remote address. A remote attacker able to send a specially crafted 'X-Forwarded-For' header to RabbitMQ could use this flaw to connect to the broker as if they were a localhost user. Note that the attacker must know valid user credentials in order to connect to the broker. Upstream patches: http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d References: https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM http://www.rabbitmq.com/release-notes/README-3.4.0.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed since v3.4.0: $ hg log -r "c3c41177a11a:: and tag()" changeset: 2370:5933c590f284 tag: rabbitmq_v3_4_0 user: Simon MacMullen <simon@rabbitmq.com> date: Tue Oct 21 14:20:42 2014 +0100 summary: Gah, fix logout. [...] $ hg log -r "35e916df027d:: and tag()" changeset: 2370:5933c590f284 tag: rabbitmq_v3_4_0 user: Simon MacMullen <simon@rabbitmq.com> date: Tue Oct 21 14:20:42 2014 +0100 summary: Gah, fix logout. First version which contains the fix and appeared in Gentoo repository was https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/rabbitmq-server/rabbitmq-server-3.5.1.ebuild?hideattic=0&view=log Current stable version in tree is =net-misc/rabbitmq-server-3.6.5. @ Maintainer(s): Please cleanup and remove at least <net-misc/rabbitmq-server-3.5.4. You maybe want to keep =net-misc/rabbitmq-server-3.2.4 which isn't affected by this vulnerability according to https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM but please see the other fixes which maybe are good reasons to push users to newer versions. @ Security: Please vote!
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=981fa99007e401a4719802471de82d350af83bfa GLSA Vote: No