Red Hat Bugzilla – Bug 1185515
CVE-2014-9650 RabbitMQ: /api/definitions response splitting vulnerability
Last modified: 2016-04-26 22:10:42 EDT
26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0) Bug 26433 allowed an attacker to specify a URL to /api/definitions which would cause an arbitrary additional header to be returned. This was fixed by stripping out CR/LF from the "download" query string parameter. Upstream patches: http://hg.rabbitmq.com/rabbitmq-management/rev/dceba16cc105 References: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
Created rabbitmq-server tracking bugs for this issue: Affects: fedora-all [bug 1185516] Affects: epel-all [bug 1185517]
Both this and corresponding bug 1185514 were addressed in RabbitMQ 3.4.1. We already ship ver. 3.5.x, so this issue is already fixed in Fedora 22+. As for Fedora 21 users, we strongly advise users to upgrade to F22 or to the upcoming F23.
Reopening - unfortunately it still not fixed for EPEL7.
rabbitmq-server-3.3.5-12.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2016:0308 https://rhn.redhat.com/errata/RHSA-2016-0308.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0369 https://rhn.redhat.com/errata/RHSA-2016-0369.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:0368 https://rhn.redhat.com/errata/RHSA-2016-0368.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:0367 https://rhn.redhat.com/errata/RHSA-2016-0367.html