Bug#1002956: Remote RCE in rabbitmq-server

To: Thomas Goirand <zigo@debian.org>

Cc: 1002956@bugs.debian.org

Subject: Bug#1002956: Remote RCE in rabbitmq-server

From: Tim Abbott <tabbott@zulipchat.com>

Date: Thu, 4 Aug 2022 16:24:39 -0700

Message-id: <[🔎] CAJFukobBLtk80i2Dr8eEjAWH-hVi_T0tZgAOYCd8ekHRP787Hw@mail.gmail.com>

Reply-to: Tim Abbott <tabbott@zulipchat.com>, 1002956@bugs.debian.org

In-reply-to: <[🔎] ba9f4d0a-86fc-3b75-6d2a-ec7303994274@debian.org>

References: <YeCRxhTLuuednKvP@eldamar.lan> <4a6cb554-c1d4-4a75-3696-fb364e0623ce@debian.org> <CA+nfF6Zr-R1wEW9PfFaDwP4eNdpNipVzJiQokJb6+Cx0NNZzFg@mail.gmail.com> <43faa264-2061-347c-a04b-5f0cd625611a@debian.org> <CAJFukoY40L4hOuHW2=NEu5786K_unFpgSud4QTVegAJETLd01g@mail.gmail.com> <472f441e-a1c7-bc91-e16a-c41ab34666dd@debian.org> <CA+nfF6ZHatNLpff3zG0x1_9v+vWe_+Dcs16bk9Vx-mVmA8c-mA@mail.gmail.com> <e3104735-6310-4125-5b83-c83074e73e98@debian.org> <CAJFukoZExjxU1dGo1rZh3VkHG_O7oHLfk6CAx_vGcRgLTzWsHA@mail.gmail.com> <29d5d52c-b640-ce2f-c956-7961e38891d7@debian.org> <YfUHKQBU9OT0qtwe@eldamar.lan> <ccace2a8-2853-c6de-8697-3a959743bebb@debian.org> <CAJFukoaFPmJGwpMGCLW9n2MiGRAv0cEAs41i4=zk-e6mMAAT-w@mail.gmail.com> <707158ea-ab83-69c2-45e3-eacdf6c548d8@debian.org> <CAJFukoYVc6P09VEN9tM0yXQd0q7sWH=roorp5FdytD8s+GFbog@mail.gmail.com> <CAJFukobjnqtaYjtBO6FY=54ESD2fu0HxLr0V6OLzvWKZqtGo-w@mail.gmail.com> <[🔎] ba9f4d0a-86fc-3b75-6d2a-ec7303994274@debian.org> <164105986290.32321.15379237310679263189. reportbug@zbuz.infomaniak.ch>

On Wed, Aug 3, 2022 at 12:22 AM Thomas Goirand <zigo@debian.org> wrote:

Hi Tim,

Please don't top-post, we don't do that in Debian, and also:

Apologies!

FYI, I'm sad too, but there's nothing I can do but pinging again the
stable release team about this. You hear me well: the stable release
team. Not the security team since they do not want to do a security
announcement and an update through stable-security (so it shall be done
through a point release, dealing with the stable release team).

This means writing to 1002956@bugs.debian.org. That's the only email
address that has influence on accepting the fixed version. Feel free to
ping that email address until you get a reply. I agree that no reply
since the 29th of Jan is sad...

I still don't understand why the determination was made to not do a security announcement for this bug, given that it makes a Debian system that installs this package vulnerable to remote RCE without manual intervention.

But given that determination was made, perhaps the best way I can contribute is by making sure this bug thread links to https://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq, which has a bunch of public context about the impact of this bug, as well as background explanation that may help release managers who don't know much about Erlang/RabbitMQ.

-Tim Abbott

Reply to: