Hi Nils,
Ubuntu's security team does not use upstream assessments of
severity when assigning priorities. Our criteria are enumerated at
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L191
.
Upstream estimates of severity are usually focused strictly on
Thanks for fixing so quickly once this ticket was raised!
I have questions though about the time before.
rabbitmq-server is in the Canonical-supported 'main' repo of two active
Ubuntu LTS releases. In Dec 2016, a security issue and a patch are
published upstream, rated 'critical'. Debian rates
This bug was fixed in the package rabbitmq-server - 3.2.4-1ubuntu0.1
---
rabbitmq-server (3.2.4-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: authentication bypass (LP: #1706900)
- debian/patches/CVE-2016-9877.patch: fix password check in
This bug was fixed in the package rabbitmq-server -
3.5.7-1ubuntu0.16.04.2
---
rabbitmq-server (3.5.7-1ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: authentication bypass (LP: #1706900)
- debian/patches/CVE-2016-9877.patch: fix password check in
Packages are building in the security team PPA here:
https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages
They will be released as security updates next week once they have
passed QA.
Thanks.
--
You received this bug notification because you are a member of Ubuntu
** Also affects: rabbitmq-server (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: rabbitmq-server (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: rabbitmq-server (Ubuntu)
Status: Triaged => Fix Released
** Changed in: rabbitmq-server
Please bump the importance to "High". This is a trivially and remotely
exploitable authentication bypass, and it's classified "Critical"
upstream, and "High" over at Debian.
This bug was raised and fixed upstream last year. Debian backported the
fix in January. Since when are you aware of it?
--
Hello and thanks for the bug report! We are aware of this issue and are
tracking in the Ubuntu CVE Tracker:
https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-9877.html
** Changed in: rabbitmq-server (Ubuntu)
Importance: Undecided => Medium
** Changed in: rabbitmq-server
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9877
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
To manage
** Bug watch added: github.com/rabbitmq/rabbitmq-mqtt/issues #96
https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
** Also affects: rabbitmq via
https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
Importance: Unknown
Status: Unknown
--
You received this bug notification
** Changed in: rabbitmq
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
To manage
11 matches
Mail list logo