11:15 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Bug ID: 1185515
Summary: RabbitMQ: /api/definitions rsponse splitting
vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0)
Bug 26433 allowed an attacker to specify a URL to /api/definitions which
would cause an arbitrary additional header to be returned. This was
fixed by stripping out CR/LF from the "download" query string parameter.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/dceba16cc105
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
--
You are receiving this mail because:
You are on the CC list for the bug.
11:15 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions rsponse splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1185513
--
You are receiving this mail because:
You are on the CC list for the bug.
11:16 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions rsponse splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1185516
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185516
[Bug 1185516] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
11:16 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions rsponse splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1185517
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185517
[Bug 1185517] rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[epel-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
11:16 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions rsponse splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #1 from Kurt Seifried <kseifried(a)redhat.com> ---
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1185516]
Affects: epel-all [bug 1185517]
--
You are receiving this mail because:
You are on the CC list for the bug.
11:17 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|RabbitMQ: /api/definitions |RabbitMQ: /api/definitions
|rsponse splitting |response splitting
|vulnerability |vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
1:03 p.m.
New subject: [Bug 1185515] RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2014-9650
--
You are receiving this mail because:
You are on the CC list for the bug.
1:03 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|RabbitMQ: /api/definitions |CVE-2014-9650 RabbitMQ:
|response splitting |/api/definitions response
|vulnerability |splitting vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
11:43 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gmollett(a)redhat.com
Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014
|1029,reported=20150121,sour |1029,reported=20150121,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec
|ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve
|r=affected,openstack-5-rhel |r=affected,openstack-5-rhel
|6/rabbitmq-server=new,opens |6/rabbitmq-server=affected,
|tack-5-rhel7/rabbitmq-serve |openstack-5-rhel7/rabbitmq-
|r=new,openstack-6/rabbitmq- |server=affected,openstack-6
|server=new |/rabbitmq-server=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
10:21 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014
|1029,reported=20150121,sour |1029,reported=20150121,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec
|ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve
|r=affected,openstack-5-rhel |r=affected,openstack-5/rabb
|6/rabbitmq-server=affected, |itmq-server=defer,openstack
|openstack-5-rhel7/rabbitmq- |-6/rabbitmq-server=defer
|server=affected,openstack-6 |
|/rabbitmq-server=affected |
--
You are receiving this mail because:
You are on the CC list for the bug.
4:17 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Peter Lemenkov <plemenko(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
CC| |plemenko(a)redhat.com
Fixed In Version| |rabbitmq-server-3.5.1-1.fc2
| |2
Resolution|--- |ERRATA
Last Closed| |2015-10-23 17:17:27
--- Comment #2 from Peter Lemenkov <plemenko(a)redhat.com> ---
Both this and corresponding bug 1185514 were addressed in RabbitMQ 3.4.1. We
already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+.
As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the
upcoming F23.
--
You are receiving this mail because:
You are on the CC list for the bug.
4:22 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Bug 1185515 depends on bug 1185516, which changed state.
Bug 1185516 Summary: rabbitmq-server: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185516
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
4:23 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Peter Lemenkov <plemenko(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CLOSED |NEW
Resolution|ERRATA |---
Keywords| |Reopened
--- Comment #3 from Peter Lemenkov <plemenko(a)redhat.com> ---
Reopening - unfortunately it still not fixed for EPEL7.
--
You are receiving this mail because:
You are on the CC list for the bug.
8:25 a.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> ---
rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable
repository. If problems still persist, please make note of it in this bug
report.
--
You are receiving this mail because:
You are on the CC list for the bug.
8:25 a.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Bug 1185515 depends on bug 1185517, which changed state.
Bug 1185517 Summary: rabbitmq-server: various flaws [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185517
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
9:01 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014
|1029,reported=20150121,sour |1029,reported=20150121,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec
|ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve
|r=affected,openstack-5/rabb |r=affected,openstack-5/rabb
|itmq-server=defer,openstack |itmq-server=affected,openst
|-6/rabbitmq-server=defer |ack-6/rabbitmq-server=affec
| |ted
--
You are receiving this mail because:
You are on the CC list for the bug.
9:21 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014
|1029,reported=20150121,sour |1029,reported=20150121,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec
|ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve
|r=affected,openstack-5/rabb |r=affected,openstack-5/rabb
|itmq-server=affected,openst |itmq-server=affected,openst
|ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec
|ted |ted,openstack-7/rabbitmq-se
| |rver=affected,openstack-8/r
| |abbitmq-server=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
9:25 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1304946
Depends On| |1304947
Depends On| |1304948
Depends On| |1304949
Depends On| |1304950
--
You are receiving this mail because:
You are on the CC list for the bug.
6:06 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Summer Long <slong(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |slong(a)redhat.com
Flags| |needinfo?(gmollett(a)redhat.c
| |om)
--- Doc Text *updated* ---
A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL
could be specified, which then caused an arbitrary additional header to be returned. A
remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain
access to secure data.
--
You are receiving this mail because:
You are on the CC list for the bug.
6:32 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(gmollett(a)redhat.c |
|om) |
--
You are receiving this mail because:
You are on the CC list for the bug.
7:30 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #8 from Garth Mollett <gmollett(a)redhat.com> ---
Acknowledgments:
Name: (none)
--
You are receiving this mail because:
You are on the CC list for the bug.
11:10 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #9 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
OpenStack 6 for RHEL 7
Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html
--
You are receiving this mail because:
You are on the CC list for the bug.
4:54 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #10 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7
Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html
--
You are receiving this mail because:
You are on the CC list for the bug.
4:55 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #11 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6
Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html
--
You are receiving this mail because:
You are on the CC list for the bug.
4:56 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
--- Comment #12 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html
--
You are receiving this mail because:
You are on the CC list for the bug.
5:41 p.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Garth Mollett <gmollett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
Last Closed|2015-10-23 17:17:27 |2016-03-08 18:41:01
--
You are receiving this mail because:
You are on the CC list for the bug.
6:38 a.m.
New subject: [Bug 1185515] CVE-2014-9650 RabbitMQ: /api/definitions response
splitting vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1185515
Ján Rusnačko <jrusnack(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jrusnack(a)redhat.com
Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014
|1029,reported=20150121,sour |1029,reported=20150121,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/rabbitmq-server=affec |a-all/rabbitmq-server=affec
|ted,epel-all/rabbitmq-serve |ted,epel-all/rabbitmq-serve
|r=affected,openstack-5/rabb |r=affected,openstack-5/rabb
|itmq-server=affected,openst |itmq-server=affected,openst
|ack-6/rabbitmq-server=affec |ack-6/rabbitmq-server=affec
|ted,openstack-7/rabbitmq-se |ted,openstack-7/rabbitmq-se
|rver=affected,openstack-8/r |rver=affected,openstack-8/r
|abbitmq-server=affected |abbitmq-server=affected,cwe
| |=CWE-113
--
You are receiving this mail because:
You are on the CC list for the bug.
2966
days inactive
3377
days old
erlang@lists.fedoraproject.org
26 comments
1 participants
participants (1)
-
Red Hat Bugzilla