https://bugzilla.redhat.com/show_bug.cgi?id=1188678
Bug ID: 1188678
Summary: erlang-17.4.1 is available
Product: Fedora
Version: rawhide
Component: erlang
Keywords: FutureFeature, Triaged
Assignee: lemenkov(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com,
rhbugs(a)n-dimensional.de, s(a)shk.io
Latest upstream release: 17.4.1
Current version/release in Fedora Rawhide: 17.4-1.fc22
URL: https://api.github.com/repos/erlang/otp/tags
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring Soon this service
will be implemented by a new system: https://release-monitoring.org/
It will require to manage monitored projects via a new web interface. Please
make yourself familiar with the new system to ease the transition.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1118610
Bug ID: 1118610
Summary: erlang-rebar-2.5.0 is available
Product: Fedora
Version: rawhide
Component: erlang-rebar
Keywords: FutureFeature, Triaged
Assignee: lemenkov(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com,
s(a)shk.io
Latest upstream release: 2.5.0
Current version/release in Fedora Rawhide: 2.1.0-0.8.fc21
URL: https://api.github.com/repos/rebar/rebar/tags
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1077925
Bug ID: 1077925
Summary: Use system double-conversion instead of bundled one
Product: Fedora
Version: rawhide
Component: erlang-jiffy
Assignee: filip(a)andresovi.net
Reporter: ville.skytta(a)iki.fi
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, filip(a)andresovi.net,
lkundrak(a)v3.sk
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
'git am'able fix attached, build tested only. Let me know if you'd
like me to push and build this for devel.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1184159
Bug ID: 1184159
Summary: ejabberd: XMPP resource consumption denial of service
when using application-layer compression (XEP-0138)
[fedora-all]
Product: Fedora
Version: 21
Component: ejabberd
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, jkaluza(a)redhat.com,
lemenkov(a)gmail.com, martin(a)laptop.org
Blocks: 1084850
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1084850
[Bug 1084850] XMPP resource consumption denial of service when using
application-layer compression (XEP-0138)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1211394
Bug ID: 1211394
Summary: rabbitmq-server package should install sample config
files
Product: Fedora EPEL
Version: epel7
Component: rabbitmq-server
Keywords: EasyFix, ZStream
Severity: low
Priority: low
Assignee: lemenkov(a)gmail.com
Reporter: apevec(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: afazekas(a)redhat.com, apevec(a)redhat.com,
dyocum(a)redhat.com, erlang(a)lists.fedoraproject.org,
extras-qa(a)fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lars(a)redhat.com,
lemenkov(a)gmail.com, lhh(a)redhat.com,
rhos-flags(a)redhat.com, rjones(a)redhat.com,
rohara(a)redhat.com, s(a)shk.io, sgordon(a)redhat.com,
yeylon(a)redhat.com
Depends On: 1160810
+++ This bug was initially created as a clone of Bug #1160810 +++
+++ This bug was initially created as a clone of Bug #1134956 +++
The rabbitmq-server package does not install any configuration into
/etc/rabbitmq/rabbitmq.config or /etc/rabbitmq/rabbitmq-env.conf. Having the
package install sample versions of these files would provide people with a
model of what they should look like and may ease the process for people moving
from qpid to rabbitmq (by providing and obvious location in which, e.g., to
place credentials if they would like to use a non-default username/password).
--- Additional comment from Attila Fazekas on 2014-10-13 06:17:37 EDT ---
The 3.1.5 tarball (and the hg tag) does not contains an example config file,
but the >=3.2.0 does.
Using the the sample from the >=3.2.0 would be also helpful.
--- Additional comment from Dan Yocum on 2014-10-13 08:23:39 EDT ---
The example config file has unsupported/unpackaged features which I removed in
the second attachment I included. Use the 2nd attachment as the first one had
a typo (a trailing comma after a config stanza which made erlang puke).
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1160810
[Bug 1160810] rabbitmq-server package should install sample config files
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1185517
Bug ID: 1185517
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[epel-all]
Product: Fedora EPEL
Version: el6
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. While
only one tracking bug has been filed, please correct all affected versions
at the same time. If you need to fix the versions independent of each
other, you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1185516
Bug ID: 1185516
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[fedora-all]
Product: Fedora
Version: 21
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1183690
Bug ID: 1183690
Summary: rabbitmq logrotate script attempts to use legacy
service commands
Product: Fedora
Version: 21
Component: rabbitmq-server
Assignee: lemenkov(a)gmail.com
Reporter: lars(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Description of problem:
The rabbitmq-server package installs /etc/logrotate.d/rabbitmq-server with the
following:
postrotate
/sbin/service rabbitmq-server rotate-logs > /dev/null
endscript
That hasn't work since systemd was introduced, and results in the error:
/etc/cron.daily/logrotate:
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
Version-Release number of selected component (if applicable):
rabbitmq-server-3.1.5-10.fc21.noarch
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Bug ID: 1174872
Summary: rabbitmq-server: insufficient 'X-Forwarded-For' header
validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
In RabbitMQ, the 'loopback_users' configuration directive allows to specify a
list of users that are only permitted to connect to the broker via localhost.
It was found that the RabbitMQ's management plug-in did not sufficiently
validate the 'X-Forwarded-For' header when determining the remote address. A
remote attacker able to send a specially crafted 'X-Forwarded-For' header to
RabbitMQ could use this flaw to connect to the broker as if they were a
localhost user. Note that the attacker must know valid user credentials in
order to connect to the broker.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11ahttp://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyMhttp://www.rabbitmq.com/release-notes/README-3.4.0.txt
--
You are receiving this mail because:
You are on the CC list for the bug.