Your message dated Mon, 18 Aug 2025 17:06:10 +0000
with message-id <[email protected]>
and subject line Bug#1108075: fixed in rabbitmq-server 4.0.5-9
has caused the Debian Bug report #1108075,
regarding rabbitmq-server: CVE-2025-50200
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108075
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 4.0.5-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rabbitmq-server.
CVE-2025-50200[0]:
| RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and
| prior, RabbitMQ is logging authorization headers in plaintext
| encoded in base64. When querying RabbitMQ api with HTTP/s with basic
| authentication it creates logs with all headers in request,
| including authorization headers which show base64 encoded
| username:password. This is easy to decode and afterwards could be
| used to obtain control to the system depending on credentials. This
| issue has been patched in version 4.0.8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-50200
https://www.cve.org/CVERecord?id=CVE-2025-50200
[1]
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-gh3x-4x42-fvq8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 4.0.5-9
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated rabbitmq-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 Aug 2025 18:37:26 +0200
Source: rabbitmq-server
Architecture: source
Version: 4.0.5-9
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1108075
Changes:
rabbitmq-server (4.0.5-9) unstable; urgency=high
.
* CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
authorization headers in plaintext encoded in base64. When querying
RabbitMQ api with HTTP/s with basic authentication it creates logs with all
headers in request, including authorization headers which show base64
encoded username:password. This is easy to decode and afterwards could be
used to obtain control to the system depending on credentials.
Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
(Closes: #1108075)
Checksums-Sha1:
df74c432754f95c911ef112103e2cd2360f26c06 2958 rabbitmq-server_4.0.5-9.dsc
88d1938ecbe377787ed5c51e54f00a414e4b17d4 36536
rabbitmq-server_4.0.5-9.debian.tar.xz
90a91d5edb97f641f9782b4b19c1fecbcaff700b 8143
rabbitmq-server_4.0.5-9_amd64.buildinfo
Checksums-Sha256:
978f42b73c20a2f5ca57557731bc7afd23c271a23b84293fa801eb9337ee458a 2958
rabbitmq-server_4.0.5-9.dsc
6bd06c4d68ada51df4cb52c4e6ac38a8d1b9393da2fcde357130b423abb37e96 36536
rabbitmq-server_4.0.5-9.debian.tar.xz
8f2f9826eb657276925db847de0c16c949c25ead08d16d19bcf0aeedbe7bb2e3 8143
rabbitmq-server_4.0.5-9_amd64.buildinfo
Files:
783b2d6b7c4d08a03b9e444d6f963652 2958 net optional rabbitmq-server_4.0.5-9.dsc
882df5e37e63a6fd18f4799fdd204a38 36536 net optional
rabbitmq-server_4.0.5-9.debian.tar.xz
27fbb046027449755fdfcd29ab55b876 8143 net optional
rabbitmq-server_4.0.5-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmijWWoACgkQ1BatFaxr
Q/6MOA//ZVIodCjaxp+g6IvrimLI6LU7wq4zweBYSxunlVqjdyXHy2NlXh1NRzks
7e/lRD4EFAwig6/dkinuuOscJIxOOIam7GgzVDdaXo2j68tbhefnYtpG4/Nbw6Qr
pIbtsWFvgfjN2YfeReKC1nmThXfuqosDZKw0zl+nIVpOOMPkjUrgGst3MH51xeHA
W1Fw9ElCG79IqjTMjxP+ZfdaRVpmdS7mjiUzdEgI5sH2/wGz6HVx3FCzMQX5cO++
+6GHy97MNhQg6jMtbC8fksTk8fOyVUoI+59n7JKNDQopyxsiI/5wMF8zq4vekaJJ
3w8EdkjK+XN4oQ0MbdcP8Hf4WGQVpMYaqtPxMnIXsRIc5YN3gGwzzUgrpSWY0YHA
+jZIV7QwbWR3Ea7VlVvT3vQ+IcH4d0qDtK304DtSO+QWij3M6BmAMaHIqY9z6gDo
mO4GAZeJlhaHychgJhnbO8rp3/a939Qlcjrh2gHJSp29CRvDIbCAN0Oh2b2TMwNb
vpnOQIj3nJ1uhOsmdD2rfBmQAmItZkBxRWsXQdBf64/Ra002uHv1boux64dV08Rz
z8rgjemqptajTYLewG/Ek/63mDSNWQKNi3QV67fKhBIM1tBnKDfE2yODrVU3CZqG
b0yWTe7LPU/5wp/GyA2gaVooUbZESpWeQPKpqXcodLmRRbCLdmo=
=eVz6
-----END PGP SIGNATURE-----
pgp21Ad1iUNQJ.pgp
Description: PGP signature
--- End Message ---
