[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002956: bullseye-pu: package rabbitmq-server/3.8.9-3 CVE-2021-32718, CVE-2021-32719



Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Hi,

I'd like to update rabbitmq-server to address:
https://bugs.debian.org/990524

That's CVE-2021-32718, CVE-2021-32719.

[ Impact ]
XSS security bugs.

[ Risks ]
The patch only impacts some plugins which aren't activated
by default, so most user aren't even impacted. However, the
patches are also super-small, so why not approved them?

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers,

Thomas Goirand (zigo)
diff -Nru rabbitmq-server-3.8.9/debian/changelog rabbitmq-server-3.8.9/debian/changelog
--- rabbitmq-server-3.8.9/debian/changelog	2021-04-10 22:59:57.000000000 +0200
+++ rabbitmq-server-3.8.9/debian/changelog	2022-01-01 18:46:04.000000000 +0100
@@ -1,3 +1,23 @@
+rabbitmq-server (3.8.9-3+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-32719: In rabbitmq-server prior to version 3.8.18, when a
+    federation link was displayed in the RabbitMQ management UI via the
+    `rabbitmq_federation_management` plugin, its consumer tag was rendered
+    without proper <script> tag sanitization. This potentially allows
+    for JavaScript code execution in the context of the page. The user must
+    be signed in and have elevated permissions (manage federation upstreams
+    and policies) for this to occur. Applied upstream patch: Escape the
+    consumer-tag value in federation mgmt.
+  * CVE-2021-32718: In rabbitmq-server prior to version 3.8.17, a new user
+    being added via management UI could lead to the user's bane being
+    rendered in a confirmation message without proper `<script>` tag
+    sanitization, potentially allowing for JavaScript code execution in the
+    context of the page. In order for this to occur, the user must be signed
+    in and have elevated permissions (other user management).
+  * Closes: #990524
+
+ -- Thomas Goirand <zigo@debian.org>  Sat, 01 Jan 2022 18:46:04 +0100
+
 rabbitmq-server (3.8.9-3) unstable; urgency=medium
 
   [ Adam Cecile ]
diff -Nru rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch
--- rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch	1970-01-01 01:00:00.000000000 +0100
+++ rabbitmq-server-3.8.9/debian/patches/CVE-2021-32718_Escape_username_before_displaying_it.patch	2022-01-01 18:46:04.000000000 +0100
@@ -0,0 +1,21 @@
+Description: CVE-2021-32718: Escape username before displaying it
+ All other values displayed in pop-ups are already escaped.
+Author: Michael Klishin <michael@clojurewerkz.org>
+Date: Thu, 6 May 2021 06:57:43 +0300
+Origin: upstream, https://github.com/rabbitmq/rabbitmq-server/commit/5d15ffc5ebfd9818fae488fc05d1f120ab02703c.patch
+Bug-Debian: https://bugs.debian.org/990524
+Last-Update: 2022-01-01
+
+diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js b/deps/rabbitmq_management/priv/www/js/dispatcher.js
+index d2842c2da8a..5f1b54dbac8 100644
+--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js
++++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js
+@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
+             res = sync_put(this, '/users/:username');
+             if (res) {
+                 if (res.http_status === 204) {
+-                    username = res.req_params.username;
++                    username = fmt_escape_html(res.req_params.username);
+                     show_popup('warn', "Updated an existing user: '" + username + "'");
+                 }
+                 update();
diff -Nru rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch
--- rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch	1970-01-01 01:00:00.000000000 +0100
+++ rabbitmq-server-3.8.9/debian/patches/CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch	2022-01-01 18:46:04.000000000 +0100
@@ -0,0 +1,21 @@
+Description: CVE-2021-32719 Escape the consumer-tag value in federation mgmt
+ Patches persistent XSS.
+Author: Patrik Ragnarsson <patrik@starkast.net>
+Date: Sat, 19 Jun 2021 09:23:12 +0200
+Origin: upstream, https://github.com/rabbitmq/rabbitmq-server/pull/3122
+Bug-Debian: https://bugs.debian.org/990524
+Last-Update: 2021-01-01
+
+diff --git a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
+index 5b3e14d0638..838eac1eb3b 100644
+--- a/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
++++ b/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
+@@ -45,7 +45,7 @@
+      <td class="r"><%= fmt_time(upstream.value['message-ttl'], 'ms') %></td>
+      <td class="r"><%= fmt_string(upstream.value['ha-policy']) %></td>
+      <td class="r"><%= fmt_string(upstream.value['queue']) %></td>
+-     <td class="r"><%= upstream.value['consumer-tag'] %></td>
++     <td class="r"><%= fmt_string(upstream.value['consumer-tag']) %></td>
+    </tr>
+ <% } %>
+  </tbody>
diff -Nru rabbitmq-server-3.8.9/debian/patches/series rabbitmq-server-3.8.9/debian/patches/series
--- rabbitmq-server-3.8.9/debian/patches/series	2021-04-10 22:59:57.000000000 +0200
+++ rabbitmq-server-3.8.9/debian/patches/series	2022-01-01 18:46:04.000000000 +0100
@@ -1,3 +1,4 @@
 lets-use-python3-not-python-binary.patch
 rabbitmq-dist.mk.patch
 Upstream_PR2965_fixing_rabbitmqctl_parsing
+CVE-2021-32719_Escape_the_consumer-tag_value_in_federation_mgmt.patch

Reply to: