commit rabbitmq-server for openSUSE:Factory

Source-Sync Wed, 18 Jun 2025 07:31:00 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rabbitmq-server for openSUSE:Factory 
checked in at 2025-06-18 15:58:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rabbitmq-server (Old)
 and      /work/SRC/openSUSE:Factory/.rabbitmq-server.new.19631 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rabbitmq-server"

Wed Jun 18 15:58:28 2025 rev:95 rq:1286574 version:3.13.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/rabbitmq-server/rabbitmq-server.changes  
2025-04-24 17:28:00.535617275 +0200
+++ 
/work/SRC/openSUSE:Factory/.rabbitmq-server.new.19631/rabbitmq-server.changes   
    2025-06-18 16:03:45.583062772 +0200
@@ -1,0 +2,7 @@
+Wed Apr 30 07:31:55 UTC 2025 - Simon Lees <sfl...@suse.de>
+
+- Correctly escape hostname that could lead to xss attack
+  (bsc#1240071, CVE-2025-30219)
+  * fix-CVE-2025-30219.patch 
+
+-------------------------------------------------------------------

New:
----
  fix-CVE-2025-30219.patch

----------(New B)----------
  New:  (bsc#1240071, CVE-2025-30219)
  * fix-CVE-2025-30219.patch 
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rabbitmq-server.spec ++++++
--- /var/tmp/diff_new_pack.q2qt5e/_old  2025-06-18 16:03:46.475099696 +0200
+++ /var/tmp/diff_new_pack.q2qt5e/_new  2025-06-18 16:03:46.479099862 +0200
@@ -54,6 +54,7 @@
 Source7:        
https://raw.githubusercontent.com/rabbitmq/rabbitmq-packaging/v%{version}/RPMS/Fedora/rabbitmq-server.tmpfiles
 Source8:        README.SUSE
 Patch0:         rabbitmq-server-allow-elixir-1.18.patch
+Patch1:         fix-CVE-2025-30219.patch
 BuildRequires:  elixir
 # https://www.rabbitmq.com/which-erlang.html
 BuildRequires:  erlang >= 25.0

++++++ fix-CVE-2025-30219.patch ++++++
>From b0cdbf3d25c486934d1673044809a6d0bb5e1503 Mon Sep 17 00:00:00 2001
From: Michael Klishin <mich...@clojurewerkz.org>
Date: Fri, 25 Oct 2024 22:14:41 -0400
Subject: [PATCH] Use fmt_string in this error message

(cherry picked from commit 8ad8d3197ec0a233d1427479f9e88879cfda5ea4)
---
 deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs 
b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
index fdbbe1b8e025..6276f10d8771 100644
--- a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
+++ b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
@@ -27,7 +27,7 @@
         if (vhosts[i].cluster_state[vhost_status_node] != 'running') {
 %>
 <p class="warning">
-  Virtual host <b><%= vhosts[i].name %></b> experienced an error on node 
<b><%= vhost_status_node %></b> and may be inaccessible
+  Virtual host <b><%= fmt_string(vhosts[i].name) %></b> experienced an error 
on node <b><%= fmt_string(vhost_status_node) %></b> and may be inaccessible
 </p>
 <% }}} %>
 </div>

commit rabbitmq-server for openSUSE:Factory

Reply via email to