[Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability

Nils Toedtmann 1706900 at bugs.launchpad.net
Mon Jul 31 19:38:43 UTC 2017 

Thanks for fixing so quickly once this ticket was raised!

I have questions though about the time before.

rabbitmq-server is in the Canonical-supported 'main' repo of two active
Ubuntu LTS releases. In Dec 2016, a security issue and a patch are
published upstream, rated 'critical'. Debian rates it as 'high' and
releases updates within a month. At some point in time (I can't way
when), the issue appears in Ubuntu's CVE tracker (see above) and gets
marked 'medium'. Other than that, nothing happens at Ubuntu until a
random user (me) stumbles upon it and files this very bug report.

- Why was this bug rated lower than upstream ('medium' rather than 'critical')?
- What is the CVE tracker for, if not triggering the process leading to security updates where necessary?
- Are there targets defined/documented somewhere, how quickly upstream security patches ought to be integrated into 'main' LTS packages?
- Assuming we agree that 7 month is too long (right?), what is being done to make sure those targets are met?

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1706900

Title:
  CVE-2016-9877 RabbitMQ authentication vulnerability

Status in RabbitMQ:
  Fix Released
Status in rabbitmq-server package in Ubuntu:
  Fix Released
Status in rabbitmq-server source package in Trusty:
  Fix Released
Status in rabbitmq-server source package in Xenial:
  Fix Released

Bug description:
  https://pivotal.io/security/cve-2016-9877

    "MQTT (MQ Telemetry Transport) connection authentication with a
  username/password pair succeeds if an existing username is provided
  but the password is omitted from the connection request. Connections
  that use TLS with a client-provided certificate are not affected."

  Affects RabbitMQ "3.x versions prior to 3.5.8"

  Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
  and according to its changelog, Pivotal's fix for CVE-2016-9877 has
  not been included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list