StarlingX

[Debian] Medium CVE: CVE-2023-35789 librabbitmq: local attackers by listing a process and its arguments

Bug #2105457 reported by Yue Tao on 2025-03-31

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Unassigned

Bug Description

CVE-2023-35789: https://nvd.nist.gov/vuln/detail/CVE-2023-35789

An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.

Base Score: Medium

Reference:

['librabbitmq4_0.10.0-1_amd64.deb===>librabbitmq4_0.10.0-1+deb11u1_amd64.deb']
https://security-tracker.debian.org/tracker/DLA-4096-1

Tags:

CVE References

2023-35789

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-05-19: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/950319

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-06-05: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/950319
Committed: https://opendev.org/starlingx/tools/commit/bd47e1487f4bd1002f4973a8f509b3ad7d6a2dfd
Submitter: "Zuul (22348)"
Branch: master

commit bd47e1487f4bd1002f4973a8f509b3ad7d6a2dfd
Author: Joao Tognolli Jr <email address hidden>
Date: Mon May 19 11:17:26 2025 -0300

Debian: librabbitmq4: fix CVE-2023-35789

Upgrade librabbitmq4 to 0.10.0-1+deb11u1

CVE-2023-35789: https://nvd.nist.gov/vuln/detail/CVE-2023-35789

https://security-tracker.debian.org/tracker/DLA-4096-1
https://www.tenable.com/plugins/nessus/233546

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image
    PASS: install on SX-lab (VBox)

Closes-Bug: 2105457

Change-Id: Id008324bd61c7c537d8c38eaf71bf43c775f4b7a
Signed-off-by: Joao Tognolli Jr <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-06-06: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/951988

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-06-09: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/951988
Committed: https://opendev.org/starlingx/tools/commit/b6391dd9b5002644184de4f0f10958c8b2b068d0
Submitter: "Zuul (22348)"
Branch: master

commit b6391dd9b5002644184de4f0f10958c8b2b068d0
Author: Joao Tognolli Jr <email address hidden>
Date: Fri Jun 6 15:27:28 2025 -0300

Debian: librabbitmq-dev: change version

Upgrade librabbitmq-dev to 0.10.0-1+deb11u1

    The current librabbitmq-dev package has a dependency on
    librabbitmq4 version 0.10.0-1. However, due to the change
    made in [1], it is also necessary to update the
    librabbitmq-dev version package to the same version of
    librabbitmq4 that is 0.10.0-1+deb11u1.

[1]: https://review.opendev.org/c/starlingx/tools/+/950319

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image
    PASS: install on SX-lab (VBox)

Closes-Bug: 2105457

Change-Id: I2f83440bb3b09a8ae7a3a63fbe083f047b8a520f
Signed-off-by: Joao Tognolli Jr <email address hidden>

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.