==================================================================== CERT-Renater Note d'Information No. 2019/VULN390 _____________________________________________________________________ DATE : 10/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running librabbitmq. ===================================================================== https://lists.debian.org/debian-lts-announce/2019/12/msg00004.html https://usn.ubuntu.com/4214-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WA7CPNVYMF6OQNIYNLWUY6U2GTKFOKH3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQER6XTKYMHNQR7QTHW7DJAH645WQROU/ _____________________________________________________________________ Package : librabbitmq Version : 0.5.2-2+deb8u1 CVE ID : CVE-2019-18609 Debian Bug : #946005 It was discovered that there was an integer overflow vulnerability in librabbitmq, a library for robust messaging between applications and servers. For Debian 8 "Jessie", this issue has been fixed in librabbitmq version 0.5.2-2+deb8u1. We recommend that you upgrade your librabbitmq packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- _____________________________________________________________________ USN-4214-1: RabbitMQ vulnerability 5 December 2019 librabbitmq vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 19.04 Ubuntu 14.04 ESM Summary RabbitMQ could be made to execute arbitrary code if it received a specially crafted input. Software Description librabbitmq - Command-line utilities for interacting with AMQP servers Details It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10 amqp-tools - 0.9.0-0.2ubuntu0.19.10.1 librabbitmq4 - 0.9.0-0.2ubuntu0.19.10.1 Ubuntu 19.04 amqp-tools - 0.9.0-0.2ubuntu0.19.04.1 librabbitmq4 - 0.9.0-0.2ubuntu0.19.04.1 Ubuntu 14.04 ESM amqp-tools - 0.4.1-1ubuntu0.1~esm1 librabbitmq1 - 0.4.1-1ubuntu0.1~esm1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2019-18609 _____________________________________________________________________ -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-dd7c8f5435 2019-12-10 03:03:41.437135 -------------------------------------------------------------------------------- Name : librabbitmq Product : Fedora 30 Version : 0.10.0 Release : 1.fc30 URL : https://github.com/alanxz/rabbitmq-c Summary : Client library for AMQP Description : This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1. -------------------------------------------------------------------------------- Update Information: **Added:** * amqp_ssl_socket_get_context can be used to get the current OpenSSL CTX* associated with a connection. **Changed:** * openssl:missing OpenSSL config is ignored as an OpenSSL init error (#523) * AMQP_DEFAULT_MAX_CHANNELS is now set to 2047 to follow current default channel limit in the RabbitMQ broker. (#513) **Fixed:** * add additional input validation to prevent integer overflow when parsing a frame header. This addresses **CVE-2019-18609**. -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 2 2019 Remi Collet