Thanks for fixing so quickly once this ticket was raised!
I have questions though about the time before.
rabbitmq-server is in the Canonical-supported 'main' repo of two active
Ubuntu LTS releases. In Dec 2016, a security issue and a patch are
published upstream, rated 'critical'. Debian rates it as 'high' and
releases updates within a month. At some point in time (I can't way
when), the issue appears in Ubuntu's CVE tracker (see above) and gets
marked 'medium'. Other than that, nothing happens at Ubuntu until a
random user (me) stumbles upon it and files this very bug report.
- Why was this bug rated lower than upstream ('medium' rather than 'critical')?
- What is the CVE tracker for, if not triggering the process leading to
security updates where necessary?
- Are there targets defined/documented somewhere, how quickly upstream security
patches ought to be integrated into 'main' LTS packages?
- Assuming we agree that 7 month is too long (right?), what is being done to
make sure those targets are met?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
