This bug was fixed in the package rabbitmq-server - 4.0.5-10ubuntu1
---------------
rabbitmq-server (4.0.5-10ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2126011). Remaining changes:
- d/rules: Enable rabbitmq-streams entrypoint.
- d/p/rabbitmq-dist.mk.patch: Drop, no longer needed.
* Dropped:
- SECURITY UPDATE: authorization headers logged in plaintext (in base64)
+ debian/patches/CVE-2025-50200.patch: fix the exception logged by
Cowboy caused by double reply in src/rabbit_mgmt_util.erl,
src/rabbit_mgmt_wm_exchange_publish.erl,
src/rabbit_mgmt_wm_queue_actions.erl,
src/rabbit_mgmt_wm_queue_get.erl.
+ CVE-2025-50200
[In 4.0.5-9]
rabbitmq-server (4.0.5-10) unstable; urgency=medium
* Removed python3-simplejson build-depends (Closes: #1093307).
rabbitmq-server (4.0.5-9) unstable; urgency=high
* CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
authorization headers in plaintext encoded in base64. When querying
RabbitMQ api with HTTP/s with basic authentication it creates logs with all
headers in request, including authorization headers which show base64
encoded username:password. This is easy to decode and afterwards could be
used to obtain control to the system depending on credentials.
Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
(Closes: #1108075)
-- Andreas Hasenack <[email protected]> Tue, 06 Jan 2026
14:51:20 -0300
** Changed in: rabbitmq-server (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-50200
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2126011
Title:
Merge rabbitmq-server from Debian Unstable for r-series
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2126011/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
