Updated rabbitmq-server packages fix security vulnerabilities
Publication date: 08 Jun 2015Modification date: 08 Jun 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9649 , CVE-2014-9650 , CVE-2014-0862
Description
Updated rabbitmq-server package fixes security vulnerabilities: RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error messages which could act as an XSS vector (CVE-2014-9649). RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads (CVE-2014-9650). In RabbitMQ before 3.4.3, some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI. An attacker could publish a specially crafted message, policy name, or client version to execute arbitrary Javascript code on behalf of a user who was viewing messages, policies, or connected clients in the management UI. In all cases, the attacker needs a valid user account on the targetted RabbitMQ cluster (CVE-2015-0862). The rabbitmq-server package has been updated to version 3.5.3, fixing these issues and several other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=15120
- https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
- http://openwall.com/lists/oss-security/2015/01/27/8
- http://www.rabbitmq.com/news.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9649
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9650
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0862
SRPMS
4/core
- rabbitmq-server-3.5.3-1.mga4