Bug#1002956: Remote RCE in rabbitmq-server
- To: Tim Abbott <tabbott@zulipchat.com>, 1002956@bugs.debian.org
- Subject: Bug#1002956: Remote RCE in rabbitmq-server
- From: Thomas Goirand <zigo@debian.org>
- Date: Wed, 3 Aug 2022 09:22:44 +0200
- Message-id: <[🔎] ba9f4d0a-86fc-3b75-6d2a-ec7303994274@debian.org>
- Reply-to: Thomas Goirand <zigo@debian.org>, 1002956@bugs.debian.org
- In-reply-to: <CAJFukobjnqtaYjtBO6FY=54ESD2fu0HxLr0V6OLzvWKZqtGo-w@mail.gmail.com>
- References: <YeCRxhTLuuednKvP@eldamar.lan> <4a6cb554-c1d4-4a75-3696-fb364e0623ce@debian.org> <CA+nfF6Zr-R1wEW9PfFaDwP4eNdpNipVzJiQokJb6+Cx0NNZzFg@mail.gmail.com> <43faa264-2061-347c-a04b-5f0cd625611a@debian.org> <CAJFukoY40L4hOuHW2=NEu5786K_unFpgSud4QTVegAJETLd01g@mail.gmail.com> <472f441e-a1c7-bc91-e16a-c41ab34666dd@debian.org> <CA+nfF6ZHatNLpff3zG0x1_9v+vWe_+Dcs16bk9Vx-mVmA8c-mA@mail.gmail.com> <e3104735-6310-4125-5b83-c83074e73e98@debian.org> <CAJFukoZExjxU1dGo1rZh3VkHG_O7oHLfk6CAx_vGcRgLTzWsHA@mail.gmail.com> <29d5d52c-b640-ce2f-c956-7961e38891d7@debian.org> <YfUHKQBU9OT0qtwe@eldamar.lan> <ccace2a8-2853-c6de-8697-3a959743bebb@debian.org> <CAJFukoaFPmJGwpMGCLW9n2MiGRAv0cEAs41i4=zk-e6mMAAT-w@mail.gmail.com> <707158ea-ab83-69c2-45e3-eacdf6c548d8@debian.org> <CAJFukoYVc6P09VEN9tM0yXQd0q7sWH=roorp5FdytD8s+GFbog@mail.gmail.com> <CAJFukobjnqtaYjtBO6FY=54ESD2fu0HxLr0V6OLzvWKZqtGo-w@mail.gmail.com> <164105986290.32321.15379237310679263189.reportbug@zbuz.infomaniak.ch>
Hi Tim,
On 8/3/22 02:22, Tim Abbott wrote:
Just following up on this -- it makes me sad that this publicly known
RCE vulnerability is still not fixed in stable.
-Tim Abbott
Please don't top-post, we don't do that in Debian, and also:
> Because it messes up the order in which people normally read text.
> Why is top-posting such a bad thing?
> Top-posting.
> What is the most annoying thing in e-mail?
FYI, I'm sad too, but there's nothing I can do but pinging again the
stable release team about this. You hear me well: the stable release
team. Not the security team since they do not want to do a security
announcement and an update through stable-security (so it shall be done
through a point release, dealing with the stable release team).
This means writing to 1002956@bugs.debian.org. That's the only email
address that has influence on accepting the fixed version. Feel free to
ping that email address until you get a reply. I agree that no reply
since the 29th of Jan is sad...
Cheers,
Thomas Goirand (zigo)
Reply to: