Advisories ยป MGASA-2015-0240

Updated rabbitmq-server packages fix security vulnerabilities

Publication date: 08 Jun 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9649 , CVE-2014-9650 , CVE-2014-0862


Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error
messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads

In RabbitMQ before 3.4.3, some user-controllable content was not properly
HTML-escaped before being presented to a user in the management web UI.
An attacker could publish a specially crafted message, policy name, or client
version to execute arbitrary Javascript code on behalf of a user who was
viewing messages, policies, or connected clients in the management UI. In all
cases, the attacker needs a valid user account on the targetted RabbitMQ
cluster (CVE-2015-0862).

The rabbitmq-server package has been updated to version 3.5.3, fixing these
issues and several other bugs.