Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918527 (CVE-2023-46118) - <net-misc/rabbitmq-server-3.12.9: DoS via very large requests
Summary: <net-misc/rabbitmq-server-3.12.9: DoS via very large requests
Status: CONFIRMED
Alias: CVE-2023-46118
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/rabbitmq/rabbitmq-...
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 930000
Blocks:
  Show dependency tree
 
Reported: 2023-11-25 16:12 UTC by John Helmert III
Modified: 2024-06-01 08:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 16:12:45 UTC
CVE-2023-46118:

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.

Seems like we're not updating 3.11 often, should we stabilize 3.12.9?
Comment 1 Larry the Git Cow gentoo-dev 2024-04-23 13:11:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b925c0292e68ade7bfddb23896fc858539236899

commit b925c0292e68ade7bfddb23896fc858539236899
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-04-19 07:34:01 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-04-23 13:10:26 +0000

    profiles: mask <net-misc/rabbitmq-server-3.13.1
    
    Older versions are blocking dev-lang/erlang cleanup, and
    <3.12.9 is vulnerable to CVE-2023-46118.
    
    Bug: https://bugs.gentoo.org/918527
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-05-31 19:07:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e301544eb44c0f105734668ea89f292c54f315f

commit 0e301544eb44c0f105734668ea89f292c54f315f
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2024-05-31 19:01:47 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-05-31 19:05:56 +0000

    net-misc/rabbitmq-server: drop 3.11.2-r1, 3.12.9
    
    Bug: https://bugs.gentoo.org/918527
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 net-misc/rabbitmq-server/Manifest                  |  2 -
 .../rabbitmq-server-3.11.2-r1.ebuild               | 86 --------------------
 .../rabbitmq-server/rabbitmq-server-3.12.9.ebuild  | 91 ----------------------
 profiles/package.mask                              |  7 --
 4 files changed, 186 deletions(-)