Changelog
rabbitmq-server (4.0.5-10ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2126011). Remaining changes:
- d/rules: Enable rabbitmq-streams entrypoint.
- d/p/rabbitmq-dist.mk.patch: Drop, no longer needed.
* Dropped:
- SECURITY UPDATE: authorization headers logged in plaintext (in base64)
+ debian/patches/CVE-2025-50200.patch: fix the exception logged by
Cowboy caused by double reply in src/rabbit_mgmt_util.erl,
src/rabbit_mgmt_wm_exchange_publish.erl,
src/rabbit_mgmt_wm_queue_actions.erl,
src/rabbit_mgmt_wm_queue_get.erl.
+ CVE-2025-50200
[In 4.0.5-9]
rabbitmq-server (4.0.5-10) unstable; urgency=medium
* Removed python3-simplejson build-depends (Closes: #1093307).
rabbitmq-server (4.0.5-9) unstable; urgency=high
* CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
authorization headers in plaintext encoded in base64. When querying
RabbitMQ api with HTTP/s with basic authentication it creates logs with all
headers in request, including authorization headers which show base64
encoded username:password. This is easy to decode and afterwards could be
used to obtain control to the system depending on credentials.
Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
(Closes: #1108075)
-- Andreas Hasenack <email address hidden> Tue, 06 Jan 2026 14:51:20 -0300
