Ubuntu
rabbitmq-server package

Merge rabbitmq-server from Debian unstable for oracular

Bug #2064451 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rabbitmq-server (Ubuntu)
New
Undecided
Unassigned
Ubuntu ubuntu-24.07

Bug Description

Upstream: tbd
Debian: 3.10.8-3 3.12.1-1
Ubuntu: 3.12.1-1ubuntu1

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38

### New Debian Changes ###

rabbitmq-server (3.10.8-3) unstable; urgency=high

  * CVE-2023-46118: Denial of Service by publishing large messages over the
    HTTP API. Applied upstream patches that introduce a limit of 10MB:
    - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
    - Introduce_HTTP_request_body_limit_for_definition_uploads.patch
    (Closes: #1056723).

 -- Thomas Goirand <email address hidden> Mon, 27 Nov 2023 08:31:07 +0100

rabbitmq-server (3.10.8-2) unstable; urgency=medium

  * Cleans better (Closes: #1046813).

 -- Thomas Goirand <email address hidden> Thu, 24 Aug 2023 11:50:05 +0200

rabbitmq-server (3.10.8-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * No source change upload to rebuild with debhelper 13.10.

 -- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:42:19 +0200

rabbitmq-server (3.10.8-1) unstable; urgency=medium

  * New upstream release:
    - Fix FTBFS with Erlang 25.
  * lets-use-python3-not-python-binary.patch: removed 2 hunks commited
    upstream.
  * Add OOMScoreAdjust=-500 to the .service file.

 -- Thomas Goirand <email address hidden> Wed, 28 Sep 2022 15:40:58 +0200

rabbitmq-server (3.9.13-1) unstable; urgency=medium

  * New upstream release.
  * Do not install rabbitmq-server-ha.ocf: it's removed upstream.

 -- Thomas Goirand <email address hidden> Wed, 23 Feb 2022 09:12:34 +0100

rabbitmq-server (3.9.8-6) unstable; urgency=medium

  * Use grep -q when checking for Erglang cookie.

 -- Thomas Goirand <email address hidden> Thu, 27 Jan 2022 23:32:11 +0100

rabbitmq-server (3.9.8-5) unstable; urgency=medium

  * Detect if /var/lib/rabbitmq/.erlang.cookie is an Erlang generated cookie,
    regenerate and restart rabbitmq it in such case.

 -- Thomas Goirand <email address hidden> Thu, 27 Jan 2022 14:14:56 +0100

rabbitmq-server (3.9.8-4) unstable; urgency=medium

  * Use umask when creating the .erlang.cookie to avoid race condition where
    the file could be read.

 -- Thomas Goirand <email address hidden> Mon, 24 Jan 2022 13:24:50 +0100

rabbitmq-server (3.9.8-3) unstable; urgency=medium

  * Use OpenSSL to generate the default .erlang.cookie.
  * Set rabbitmq-server.service to depend on epmd.socket and not epmd@.socket.
  * Add a debian/README.Debian to explain how to secure a RabbitMQ cluster, as
    it's been pointed out that upstream doc isn't good enough to explain what
    is necessar for it (Closes: #924768).

 -- Thomas Goirand <email address hidden> Fri, 14 Jan 2022 10:05:34 +0100

rabbitmq-server (3.9.8-2) unstable; urgency=medium

  * Finished removing the $LANG wrapper (Closes: #947872).
  * Do not mv /etc/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq-env.conf
    anymore (Closes: #943699).

 -- Thomas Goirand <email address hidden> Tue, 28 Dec 2021 19:08:01 +0100

rabbitmq-server (3.9.8-1) unstable; urgency=medium

  * New upstream release.
  * d/control: Bump Standards-Version to 4.6.0, no changes.

 -- James Page <email address hidden> Tue, 02 Nov 2021 16:52:40 +0000

rabbitmq-server (3.9.4-1.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Add a superficial autopkgtest.
    It just tests that the service is active after installation. This is not
    great test coverage, but it will at least stop new erlang versions from
    migrating before rabbitmq-server is fixed to work with it.
  * debian/changelog: add missing Closes: tag in the previous upload.
    I have just closed the actual bug via a separate control email.

 -- Antonio Terceiro <email address hidden> Sat, 25 Sep 2021 06:38:37 -0300

rabbitmq-server (3.9.4-1.1) unstable; urgency=medium

  * Non-maintainer upload.

### Old Ubuntu Delta ###

rabbitmq-server (3.12.1-1ubuntu1) noble; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-46118-*.patch: Introduce HTTP request body limit
      for definition uploads and Reduce default HTTP API request body size limit
      to 10 MiB in deps/rabbitmq_management/Makefile, include/rabbit_mgmt.hrl,
      priv/schema/rabbitmq_management.schema, src/rabbit_mgmt_util.erl,
      src/rabbit_mgmt_wm_definitions.erl.
    - CVE-2023-46118

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 Nov 2023 16:07:37 -0300

Bryce Harrington (bryce)
Changed in rabbitmq-server (Ubuntu):
milestone: none → ubuntu-24.07
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

Right now there is nothing to do since we up to date with Debian.

If we want to update it, we will need to either wait to see if Debian updates during OO development, or pull from upstream which does publish deb files.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.