Bug#1002956: marked as done (bullseye-pu: package rabbitmq-server/3.8.9-3 CVE-2021-32718, CVE-2021-32719)

Debian Bug Tracking System Sat, 29 Jun 2024 13:39:22 -0700

Your message dated Sat, 29 Jun 2024 21:35:35 +0100
with message-id <zobwf2ohd6llh...@powdarrmonkey.net>
and subject line Re: Bug#1002956: New debdiff
has caused the Debian Bug report #1002956,
regarding bullseye-pu: package rabbitmq-server/3.8.9-3 CVE-2021-32718, 
CVE-2021-32719
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1002956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002956
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Hi,

I'd like to update rabbitmq-server to address:
https://bugs.debian.org/990524

That's CVE-2021-32718, CVE-2021-32719.

[ Impact ]
XSS security bugs.

[ Risks ]
The patch only impacts some plugins which aren't activated
by default, so most user aren't even impacted. However, the
patches are also super-small, so why not approved them?

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers,

Thomas Goirand (zigo)

diff -Nru rabbitmq-server-3.8.9/debian/changelog 
rabbitmq-server-3.8.9/debian/changelog
--- rabbitmq-server-3.8.9/debian/changelog      2021-04-10 22:59:57.000000000 
+0200
+++ rabbitmq-server-3.8.9/debian/changelog      2022-01-01 18:46:04.000000000 
+0100
@@ -1,3 +1,23 @@
+rabbitmq-server (3.8.9-3+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-32719: In rabbitmq-server prior to version 3.8.18, when a
+    federation link was displayed in the RabbitMQ management UI via the
+    `rabbitmq_federation_management` plugin, its consumer tag was rendered
+    without proper &lt;script&gt; tag sanitization. This potentially allows
+    for JavaScript code execution in the context of the page. The user must
+    be signed in and have elevated permissions (manage federation upstreams
+    and policies) for this to occur. Applied upstream patch: Escape the
+    consumer-tag value in federation mgmt.
+  * CVE-2021-32718: In rabbitmq-server prior to version 3.8.17, a new user
+    being added via management UI could lead to the user's bane being
+    rendered in a confirmation message without proper `&lt;script&gt;` tag
+    sanitization, potentially allowing for JavaScript code execution in the
+    context of the page. In order for this to occur, the user must be signed
+    in and have elevated permissions (other user management).
+  * Closes: #990524
+
+ -- Thomas Goirand <z...@debian.org>  Sat, 01 Jan 2022 18:46:04 +0100
+
 rabbitmq-server (3.8.9-3) unstable; urgency=medium
 
   [ Adam Cecile ]
diff -Nru 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
--- 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
      2022-01-01 18:46:04.000000000 +0100
@@ -0,0 +1,21 @@
+Description: CVE-2021-32718: Escape username before displaying it
+ All other values displayed in pop-ups are already escaped.
+Author: Michael Klishin <mich...@clojurewerkz.org>
+Date: Thu, 6 May 2021 06:57:43 +0300
+Origin: upstream, 
https://github.com/rabbitmq/rabbitmq-server/commit/5d15ffc5ebfd9818fae488fc05d1f120ab02703c.patch
+Bug-Debian: https://bugs.debian.org/990524
+Last-Update: 2022-01-01
+
+diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js 
b/deps/rabbitmq_management/priv/www/js/dispatcher.js
+index d2842c2da8a..5f1b54dbac8 100644
+--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js
++++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js
+@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
+             res = sync_put(this, '/users/:username');
+             if (res) {
+                 if (res.http_status === 204) {
+-                    username = res.req_params.username;
++                    username = fmt_escape_html(res.req_params.username);
+                     show_popup('warn', "Updated an existing user: '" + 
username + "'");
+                 }
+                 update();
diff -Nru 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
--- 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
  2022-01-01 18:46:04.000000000 +0100
@@ -0,0 +1,21 @@
+Description: CVE-2021-32719 Escape the consumer-tag value in federation mgmt
+ Patches persistent XSS.
+Author: Patrik Ragnarsson <pat...@starkast.net>
+Date: Sat, 19 Jun 2021 09:23:12 +0200
+Origin: upstream, https://github.com/rabbitmq/rabbitmq-server/pull/3122
+Bug-Debian: https://bugs.debian.org/990524
+Last-Update: 2021-01-01
+
+diff --git 
a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs 
b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
+index 5b3e14d0638..838eac1eb3b 100644
+--- 
a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
++++ 
b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
+@@ -45,7 +45,7 @@
+      <td class="r"><%= fmt_time(upstream.value['message-ttl'], 'ms') %></td>
+      <td class="r"><%= fmt_string(upstream.value['ha-policy']) %></td>
+      <td class="r"><%= fmt_string(upstream.value['queue']) %></td>
+-     <td class="r"><%= upstream.value['consumer-tag'] %></td>
++     <td class="r"><%= fmt_string(upstream.value['consumer-tag']) %></td>
+    </tr>
+ <% } %>
+  </tbody>
diff -Nru rabbitmq-server-3.8.9/debian/patches/series 
rabbitmq-server-3.8.9/debian/patches/series
--- rabbitmq-server-3.8.9/debian/patches/series 2021-04-10 22:59:57.000000000 
+0200
+++ rabbitmq-server-3.8.9/debian/patches/series 2022-01-01 18:46:04.000000000 
+0100
@@ -1,3 +1,4 @@
 lets-use-python3-not-python-binary.patch
 rabbitmq-dist.mk.patch
 Upstream_PR2965_fixing_rabbitmqctl_parsing
+CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch

--- End Message ---

--- Begin Message ---

Please re-open or re-file this request when a suitable new proposal is
ready.

Thanks,

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- End Message ---

Bug#1002956: marked as done (bullseye-pu: package rabbitmq-server/3.8.9-3 CVE-2021-32718, CVE-2021-32719)

Reply via email to