[Bug 1184159] New: ejabberd: XMPP resource consumption denial of service when using application-layer compression (XEP-0138) [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1184159
Bug ID: 1184159
Summary: ejabberd: XMPP resource consumption denial of service
when using application-layer compression (XEP-0138)
[fedora-all]
Product: Fedora
Version: 21
Component: ejabberd
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, jkaluza(a)redhat.com,
lemenkov(a)gmail.com, martin(a)laptop.org
Blocks: 1084850
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1084850
[Bug 1084850] XMPP resource consumption denial of service when using
application-layer compression (XEP-0138)
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 4 months
[Bug 1185517] New: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [epel-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185517
Bug ID: 1185517
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[epel-all]
Product: Fedora EPEL
Version: el6
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. While
only one tracking bug has been filed, please correct all affected versions
at the same time. If you need to fix the versions independent of each
other, you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 5 months
[Bug 1160810] New: rabbitmq-server package should install sample config files
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1160810
Bug ID: 1160810
Summary: rabbitmq-server package should install sample config
files
Product: Fedora
Version: rawhide
Component: rabbitmq-server
Keywords: EasyFix, ZStream
Severity: low
Priority: low
Assignee: lemenkov(a)gmail.com
Reporter: jeckersb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: afazekas(a)redhat.com, apevec(a)redhat.com,
dyocum(a)redhat.com, erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lars(a)redhat.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
rhos-flags(a)redhat.com, rjones(a)redhat.com,
rohara(a)redhat.com, s(a)shk.io, sgordon(a)redhat.com,
yeylon(a)redhat.com
Depends On: 1134956
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1134956
[Bug 1134956] rabbitmq-server package should install sample config files
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 5 months
[Bug 1185516] New: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185516
Bug ID: 1185516
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[fedora-all]
Product: Fedora
Version: 21
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1183690] New: rabbitmq logrotate script attempts to use legacy service commands
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1183690
Bug ID: 1183690
Summary: rabbitmq logrotate script attempts to use legacy
service commands
Product: Fedora
Version: 21
Component: rabbitmq-server
Assignee: lemenkov(a)gmail.com
Reporter: lars(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Description of problem:
The rabbitmq-server package installs /etc/logrotate.d/rabbitmq-server with the
following:
postrotate
/sbin/service rabbitmq-server rotate-logs > /dev/null
endscript
That hasn't work since systemd was introduced, and results in the error:
/etc/cron.daily/logrotate:
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
Version-Release number of selected component (if applicable):
rabbitmq-server-3.1.5-10.fc21.noarch
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1174872] New: rabbitmq-server: insufficient 'X-Forwarded-For' header validation
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Bug ID: 1174872
Summary: rabbitmq-server: insufficient 'X-Forwarded-For' header
validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
In RabbitMQ, the 'loopback_users' configuration directive allows to specify a
list of users that are only permitted to connect to the broker via localhost.
It was found that the RabbitMQ's management plug-in did not sufficiently
validate the 'X-Forwarded-For' header when determining the remote address. A
remote attacker able to send a specially crafted 'X-Forwarded-For' header to
RabbitMQ could use this flaw to connect to the broker as if they were a
localhost user. Note that the attacker must know valid user credentials in
order to connect to the broker.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1104843] New: rabbitmqctl doesn't work
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1104843
Bug ID: 1104843
Summary: rabbitmqctl doesn't work
Product: Fedora
Version: 20
Component: rabbitmq-server
Severity: high
Priority: urgent
Assignee: hubert.plociniczak(a)gmail.com
Reporter: jeckersb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: apevec(a)redhat.com, erlang(a)lists.fedoraproject.org,
fdinitto(a)redhat.com, hubert.plociniczak(a)gmail.com,
jeckersb(a)redhat.com, lemenkov(a)gmail.com,
lhh(a)redhat.com, rjones(a)redhat.com, s(a)shk.io
Depends On: 1104193
Blocks: 1083890
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1104193
[Bug 1104193] rabbitmqctl doesn't work
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1197421] New: Logrotate needs to use systemctl
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1197421
Bug ID: 1197421
Summary: Logrotate needs to use systemctl
Product: Fedora EPEL
Version: epel7
Component: rabbitmq-server
Severity: medium
Assignee: lemenkov(a)gmail.com
Reporter: bwong(a)fastmail.fm
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Description of problem:
The package rabbitmq-server-3.3.5-4.el7.noarch installs a logrotate
configuration file that uses /sbin/service. Log rotation does not run
successfully because the postrotate parameter needs to be updated.
The message received from logrotate (via cron):
/etc/cron.hourly/logrotate:
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
Version-Release number of selected component (if applicable):
rabbitmq-server-3.3.5-4.el7.noarch
How reproducible:
Consistently
Steps to Reproduce:
1. Install rabbitmq-server.
2. View logrotate configuration file /etc/logrotate.d/rabbitmq-server
3.
Actual results:
All I can confirm is the error message from logrotate, whether the rabbitmq
logs actually get rotated, I cannot say for sure at this time.
Expected results:
A working postrotate command
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1148444] New: logrotation fails
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1148444
Bug ID: 1148444
Summary: logrotation fails
Product: Fedora EPEL
Version: epel7
Component: rabbitmq-server
Assignee: lemenkov(a)gmail.com
Reporter: Jan.van.Eldik(a)cern.ch
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Description of problem:
Logrotation fails 100% because of old-style post-rotate command
Version-Release number of selected component (if applicable):
rabbitmq-server-3.1.5-7.el7.noarch
How reproducible:
100%
Steps to Reproduce:
[root@jcentos7-01 tmp]# logrotate -f /etc/logrotate.conf
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
[root@jcentos7-01 tmp]# cat /etc/logrotate.d/rabbitmq-server
/var/log/rabbitmq/*.log {
weekly
missingok
rotate 20
compress
delaycompress
notifempty
sharedscripts
postrotate
/sbin/service rabbitmq-server rotate-logs > /dev/null
endscript
}
[root@jcentos7-01 tmp]# /sbin/service rabbitmq-server rotate-logs > /dev/null
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
[root@jcentos7-01 tmp]# echo $?
2
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months