Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616272 (CVE-2016-9877, CVE-2017-4965, CVE-2017-4966, CVE-2017-4967) - <net-misc/rabbitmq-server-3.6.9: multiple vulnerabilities
Summary: <net-misc/rabbitmq-server-3.6.9: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-9877, CVE-2017-4965, CVE-2017-4966, CVE-2017-4967
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.rabbitmq.com/news.html#201...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-22 09:03 UTC by Jeroen Roovers (RETIRED)
Modified: 2018-01-19 13:58 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/rabbitmq-server-3.6.9
Runtime testing required: No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2017-04-22 09:03:57 UTC 
Version 3.6.9 fixed these:

CVE-2017-4965: XSS vulnerabilities in management UI
CVE-2017-4966: authentication details are stored in browser-local storage without expiration
CVE-2017-4967: XSS vulnerabilities in management UI

Version 3.6.6 fixed this one:

This release contains a security vulnerability (CVE-2016-9877) fix in the MQTT plugin and bug fixes.

Version 3.6.5 is stable on AMD64 and x86.
Comment 1 Ultrabug gentoo-dev 2017-05-30 13:04:52 UTC 
Please stabilize =net-misc/rabbitmq-server-3.6.9 so I can tree clean previous versions.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 23:24:43 UTC 
@ Arches,

please test and mark stable: =net-misc/rabbitmq-server-3.6.9
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-01 01:08:53 UTC 
x86 stable
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-10-20 14:37:09 UTC 
Stable on amd64
Comment 5 D'juan McDonald (domhnall) 2017-11-04 18:54:54 UTC 
@maintainer(s), please proceed to cleanup

@security, please vote on GLSA.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-11-04 19:21:52 UTC 
GLSA Vote: No
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 20:34:21 UTC 
Please clean the vulnerable.
Comment 8 Ultrabug gentoo-dev 2017-12-22 09:31:58 UTC 
3.6.9 cleaned from tree
Comment 9 Ultrabug gentoo-dev 2017-12-22 09:37:36 UTC 
(In reply to Ultrabug from comment #8)
> 3.6.9 cleaned from tree

sorry, meant 3.6.5
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 13:58:27 UTC 
Tree is clean