Updated rabbitmq-server packages fix security vulnerabilities
Publication date: 08 Jun 2015Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9649 , CVE-2014-9650 , CVE-2014-0862
Description
Updated rabbitmq-server package fixes security vulnerabilities:
RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).
RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads
(CVE-2014-9650).
In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
cluster (CVE-2015-0862).
The rabbitmq-server package has been updated to version 3.5.3, fixing these
issues and several other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=15120
- https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
- http://openwall.com/lists/oss-security/2015/01/27/8
- http://www.rabbitmq.com/news.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9650
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0862
SRPMS
4/core
- rabbitmq-server-3.5.3-1.mga4