CVE-2023-46118: RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7. Seems like we're not updating 3.11 often, should we stabilize 3.12.9?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b925c0292e68ade7bfddb23896fc858539236899 commit b925c0292e68ade7bfddb23896fc858539236899 Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2024-04-19 07:34:01 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2024-04-23 13:10:26 +0000 profiles: mask <net-misc/rabbitmq-server-3.13.1 Older versions are blocking dev-lang/erlang cleanup, and <3.12.9 is vulnerable to CVE-2023-46118. Bug: https://bugs.gentoo.org/918527 Signed-off-by: Matthew Smith <matthew@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e301544eb44c0f105734668ea89f292c54f315f commit 0e301544eb44c0f105734668ea89f292c54f315f Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2024-05-31 19:01:47 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-05-31 19:05:56 +0000 net-misc/rabbitmq-server: drop 3.11.2-r1, 3.12.9 Bug: https://bugs.gentoo.org/918527 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-misc/rabbitmq-server/Manifest | 2 - .../rabbitmq-server-3.11.2-r1.ebuild | 86 -------------------- .../rabbitmq-server/rabbitmq-server-3.12.9.ebuild | 91 ---------------------- profiles/package.mask | 7 -- 4 files changed, 186 deletions(-)
