Bug#773140: unblock: rabbitmq-server/3.3.5-1.1

To: Matt Kraai <kraai@ftbfs.org>, 773140@bugs.debian.org
Cc: rabbitmq-server@packages.debian.org
Subject: Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Mon, 15 Dec 2014 13:34:08 +0000
Message-id: <[🔎] 7d47c397eccb359f499d025c50e4c007@mail.adsl.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 773140@bugs.debian.org
In-reply-to: <[🔎] 20141214230723.27167.95723.reportbug@hpe-490t.ftbfs.org>
References: <[🔎] 20141214230723.27167.95723.reportbug@hpe-490t.ftbfs.org>

Control: tags -1 + moreinfo

On 2014-12-14 23:07, Matt Kraai wrote:

Is it OK to uploade rabbitmq-server/3.3.5-1.1 totesting-proposed-updates?
773134 reports that it is insecure because it trusts theX-Forwarded-For HTTP
header.  The following patches were applied upstream to fix this:

 * http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
 * http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

rabbitmq-server/3.4.1-1 is already in unstable.

That new upstream version was uploaded at urgency=high the day beforethe freeze, with no explanation other than "new upstream release". Giventhat 3.4.0 had been out for a fortnight by that point, it looks verymuch like trying to game the freeze. :-(

rabbitmq-server maintainers, are there any other RC bugs that you'replanning to file on the package?


Regards,

Adam

Reply to:

Follow-Ups:
- Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
  - From: Blair Hester <blair.hester@gmail.com>
- Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
  - From: Jonathan Wiltshire <jmw@debian.org>

References:
- Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
  - From: Matt Kraai <kraai@ftbfs.org>

Prev by Date: Bug#773152: marked as done (unblock: rpm/4.11.3-1.1)
Next by Date: Processed: Re: Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
Previous by thread: Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
Next by thread: Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
Index(es):
- Date
- Thread