Ubuntu
rabbitmq-server package

Merge rabbitmq-server from Debian Unstable for r-series

Bug #2126011 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rabbitmq-server (Ubuntu)
New
Medium
Andreas Hasenack
Ubuntu ubuntu-25.12

Bug Description

Scheduled-For: ubuntu-25.11
Ubuntu: 4.0.5-8ubuntu2
Debian Unstable: 4.0.5-10

A new release of rabbitmq-server is available for merging from Debian Unstable.

If it turns out this needs a sync rather than a merge, please change the tagging from ['needs-merge', 'upgrade-software-version'] to ['needs-sync', 'upgrade-software-version'], and (optionally) update the title as desired.

### New Debian Changes ###

rabbitmq-server (4.0.5-10) unstable; urgency=medium

  * Removed python3-simplejson build-depends (Closes: #1093307).

 -- Thomas Goirand <email address hidden> Mon, 18 Aug 2025 23:31:11 +0200

rabbitmq-server (4.0.5-9) unstable; urgency=high

  * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
    authorization headers in plaintext encoded in base64. When querying
    RabbitMQ api with HTTP/s with basic authentication it creates logs with all
    headers in request, including authorization headers which show base64
    encoded username:password. This is easy to decode and afterwards could be
    used to obtain control to the system depending on credentials.
    Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
    (Closes: #1108075)

 -- Thomas Goirand <email address hidden> Mon, 18 Aug 2025 18:37:26 +0200

### Old Ubuntu Delta ###

rabbitmq-server (4.0.5-8ubuntu2) questing; urgency=medium

  * SECURITY UPDATE: authorization headers logged in plaintext (in base64)
    - debian/patches/CVE-2025-50200.patch: fix the exception logged by
      Cowboy caused by double reply in src/rabbit_mgmt_util.erl,
      src/rabbit_mgmt_wm_exchange_publish.erl,
      src/rabbit_mgmt_wm_queue_actions.erl,
      src/rabbit_mgmt_wm_queue_get.erl.
    - CVE-2025-50200

 -- Marc Deslauriers <email address hidden> Fri, 19 Sep 2025 11:36:28 -0400

rabbitmq-server (4.0.5-8ubuntu1) questing; urgency=medium

  * Merge with Debian unstable (LP: #2120563). Remaining changes:
    - d/rules: Enable rabbitmq-streams entrypoint.
    - d/p/rabbitmq-dist.mk.patch: Drop, no longer needed.
  * Dropped:
    - Added new dep8 tests (LP #1679386)
      [In 4.0.5-7]
    - d/rules: Set PROJECT_VERSION to fix internal module versioning
      issues.
      [In 4.0.5-8]

 -- Andreas Hasenack <email address hidden> Wed, 13 Aug 2025 11:00:09 -0300

Andreas Hasenack (ahasenack)
Changed in rabbitmq-server (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
Hector CAO (hectorcao)
Changed in rabbitmq-server (Ubuntu):
importance: Undecided → Medium
Andreas Hasenack (ahasenack)
Changed in rabbitmq-server (Ubuntu):
milestone: none → ubuntu-25.12
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.