[Bug 1184159] New: ejabberd: XMPP resource consumption denial of service when using application-layer compression (XEP-0138) [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1184159
Bug ID: 1184159
Summary: ejabberd: XMPP resource consumption denial of service
when using application-layer compression (XEP-0138)
[fedora-all]
Product: Fedora
Version: 21
Component: ejabberd
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, jkaluza(a)redhat.com,
lemenkov(a)gmail.com, martin(a)laptop.org
Blocks: 1084850
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1084850
[Bug 1084850] XMPP resource consumption denial of service when using
application-layer compression (XEP-0138)
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 4 months
[Bug 1211394] New: rabbitmq-server package should install sample config files
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1211394
Bug ID: 1211394
Summary: rabbitmq-server package should install sample config
files
Product: Fedora EPEL
Version: epel7
Component: rabbitmq-server
Keywords: EasyFix, ZStream
Severity: low
Priority: low
Assignee: lemenkov(a)gmail.com
Reporter: apevec(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: afazekas(a)redhat.com, apevec(a)redhat.com,
dyocum(a)redhat.com, erlang(a)lists.fedoraproject.org,
extras-qa(a)fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lars(a)redhat.com,
lemenkov(a)gmail.com, lhh(a)redhat.com,
rhos-flags(a)redhat.com, rjones(a)redhat.com,
rohara(a)redhat.com, s(a)shk.io, sgordon(a)redhat.com,
yeylon(a)redhat.com
Depends On: 1160810
+++ This bug was initially created as a clone of Bug #1160810 +++
+++ This bug was initially created as a clone of Bug #1134956 +++
The rabbitmq-server package does not install any configuration into
/etc/rabbitmq/rabbitmq.config or /etc/rabbitmq/rabbitmq-env.conf. Having the
package install sample versions of these files would provide people with a
model of what they should look like and may ease the process for people moving
from qpid to rabbitmq (by providing and obvious location in which, e.g., to
place credentials if they would like to use a non-default username/password).
--- Additional comment from Attila Fazekas on 2014-10-13 06:17:37 EDT ---
The 3.1.5 tarball (and the hg tag) does not contains an example config file,
but the >=3.2.0 does.
Using the the sample from the >=3.2.0 would be also helpful.
--- Additional comment from Dan Yocum on 2014-10-13 08:23:39 EDT ---
The example config file has unsupported/unpackaged features which I removed in
the second attachment I included. Use the 2nd attachment as the first one had
a typo (a trailing comma after a config stanza which made erlang puke).
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1160810
[Bug 1160810] rabbitmq-server package should install sample config files
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 5 months
[Bug 1185517] New: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [epel-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185517
Bug ID: 1185517
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[epel-all]
Product: Fedora EPEL
Version: el6
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. While
only one tracking bug has been filed, please correct all affected versions
at the same time. If you need to fix the versions independent of each
other, you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 5 months
[Bug 1160810] New: rabbitmq-server package should install sample config files
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1160810
Bug ID: 1160810
Summary: rabbitmq-server package should install sample config
files
Product: Fedora
Version: rawhide
Component: rabbitmq-server
Keywords: EasyFix, ZStream
Severity: low
Priority: low
Assignee: lemenkov(a)gmail.com
Reporter: jeckersb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: afazekas(a)redhat.com, apevec(a)redhat.com,
dyocum(a)redhat.com, erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lars(a)redhat.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
rhos-flags(a)redhat.com, rjones(a)redhat.com,
rohara(a)redhat.com, s(a)shk.io, sgordon(a)redhat.com,
yeylon(a)redhat.com
Depends On: 1134956
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1134956
[Bug 1134956] rabbitmq-server package should install sample config files
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 5 months
[Bug 1185516] New: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185516
Bug ID: 1185516
Summary: rabbitmq-server: RabbitMQ: /api/... XSS vulnerability
[fedora-all]
Product: Fedora
Version: 21
Component: rabbitmq-server
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: kseifried(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Blocks: 1185514
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1185514
[Bug 1185514] RabbitMQ: /api/... XSS vulnerability
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1183690] New: rabbitmq logrotate script attempts to use legacy service commands
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1183690
Bug ID: 1183690
Summary: rabbitmq logrotate script attempts to use legacy
service commands
Product: Fedora
Version: 21
Component: rabbitmq-server
Assignee: lemenkov(a)gmail.com
Reporter: lars(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
lemenkov(a)gmail.com, rjones(a)redhat.com, s(a)shk.io
Description of problem:
The rabbitmq-server package installs /etc/logrotate.d/rabbitmq-server with the
following:
postrotate
/sbin/service rabbitmq-server rotate-logs > /dev/null
endscript
That hasn't work since systemd was introduced, and results in the error:
/etc/cron.daily/logrotate:
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
Version-Release number of selected component (if applicable):
rabbitmq-server-3.1.5-10.fc21.noarch
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1174872] New: rabbitmq-server: insufficient 'X-Forwarded-For' header validation
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Bug ID: 1174872
Summary: rabbitmq-server: insufficient 'X-Forwarded-For' header
validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
In RabbitMQ, the 'loopback_users' configuration directive allows to specify a
list of users that are only permitted to connect to the broker via localhost.
It was found that the RabbitMQ's management plug-in did not sufficiently
validate the 'X-Forwarded-For' header when determining the remote address. A
remote attacker able to send a specially crafted 'X-Forwarded-For' header to
RabbitMQ could use this flaw to connect to the broker as if they were a
localhost user. Note that the attacker must know valid user credentials in
order to connect to the broker.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1104843] New: rabbitmqctl doesn't work
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1104843
Bug ID: 1104843
Summary: rabbitmqctl doesn't work
Product: Fedora
Version: 20
Component: rabbitmq-server
Severity: high
Priority: urgent
Assignee: hubert.plociniczak(a)gmail.com
Reporter: jeckersb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: apevec(a)redhat.com, erlang(a)lists.fedoraproject.org,
fdinitto(a)redhat.com, hubert.plociniczak(a)gmail.com,
jeckersb(a)redhat.com, lemenkov(a)gmail.com,
lhh(a)redhat.com, rjones(a)redhat.com, s(a)shk.io
Depends On: 1104193
Blocks: 1083890
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1104193
[Bug 1104193] rabbitmqctl doesn't work
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1197421] New: Logrotate needs to use systemctl
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1197421
Bug ID: 1197421
Summary: Logrotate needs to use systemctl
Product: Fedora EPEL
Version: epel7
Component: rabbitmq-server
Severity: medium
Assignee: lemenkov(a)gmail.com
Reporter: bwong(a)fastmail.fm
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com,
rjones(a)redhat.com, s(a)shk.io
Description of problem:
The package rabbitmq-server-3.3.5-4.el7.noarch installs a logrotate
configuration file that uses /sbin/service. Log rotation does not run
successfully because the postrotate parameter needs to be updated.
The message received from logrotate (via cron):
/etc/cron.hourly/logrotate:
The service command supports only basic LSB actions (start, stop, restart,
try-restart, reload, force-reload, status). For other actions, please try to
use systemctl.
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
Version-Release number of selected component (if applicable):
rabbitmq-server-3.3.5-4.el7.noarch
How reproducible:
Consistently
Steps to Reproduce:
1. Install rabbitmq-server.
2. View logrotate configuration file /etc/logrotate.d/rabbitmq-server
3.
Actual results:
All I can confirm is the error message from logrotate, whether the rabbitmq
logs actually get rotated, I cannot say for sure at this time.
Expected results:
A working postrotate command
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 7 months