group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <1706900@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package rabbitmq-server - 3.2.4-1ubuntu0.1

---------------
rabbitmq-server (3.2.4-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: authentication bypass (LP: #1706900)
    - debian/patches/CVE-2016-9877.patch: fix password check in
      plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl, add test to
      plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java,
      fix URL in plugins-src/rabbitmq-mqtt/test/Makefile.
    - CVE-2016-9877

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Thu, 27 Jul 2017
14:48:35 -0400

** Changed in: rabbitmq-server (Ubuntu Trusty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1706900

Title:
  CVE-2016-9877 RabbitMQ authentication vulnerability

Status in RabbitMQ:
  Fix Released
Status in rabbitmq-server package in Ubuntu:
  Fix Released
Status in rabbitmq-server source package in Trusty:
  Fix Released
Status in rabbitmq-server source package in Xenial:
  Fix Released

Bug description:
  https://pivotal.io/security/cve-2016-9877

    "MQTT (MQ Telemetry Transport) connection authentication with a
  username/password pair succeeds if an existing username is provided
  but the password is omitted from the connection request. Connections
  that use TLS with a client-provided certificate are not affected."

  Affects RabbitMQ "3.x versions prior to 3.5.8"

  Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
  and according to its changelog, Pivotal's fix for CVE-2016-9877 has
  not been included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions