RabbitMQ downloads binary over http without verification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
Recently it was seen that Kolla was including a RabbitMQ plugin which is downloaded from the RabbitMQ website using HTTP. This file is then included without validation.
This could allow for the injection of code during the build. The website and download is also served on HTTPS with a valid certificate, which should be sufficient mitigation in many cases. However, verification of the binary via checksum would be even better.
Code affected:
https:/
There is a current git that may mitigate this for debian installs:
https:/
Downstream at Red Hat we will most likely be removing the download and not using the plugin moving forward.
The following CVE was assigned CVE-2018-14620. We are working to ship fixes soon.
CVE References
description: | updated |
Changed in kolla: | |
status: | New → Fix Released |
This is essentially happening in the following bug too: /bugs.launchpad .net/tripleo/ +bug/1791077
https:/