--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: trixie-pu: package rabbitmq-server/4.0.5-6+deb13u1 (CVE-2025-50200)
- From: Thomas Goirand <zigo@debian.org>
- Date: Thu, 21 Aug 2025 16:14:19 +0200
- Message-id: <175578565917.367166.15011947267327062303.reportbug@zbuz.infomaniak.ch>
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: rabbitmq-server@packages.debian.org
Control: affects -1 + src:rabbitmq-server
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
[ Reason ]
This is a fix for CVE-2025-50200:
https://bugs.debian.org/1108075
I'm sorry because I completely missed it. The CVE is about rabbitmq, in some
cases, logging a base64 version of a login token (ie: login:password). I
simply applied upstream patch.
[ Impact ]
Login token appears in the log (encoded as base64).
[ Tests ]
Tested that rabbitmq-server continues working. It does, but I didn't check
for the specific CVE.
[ Risks ]
I have to admit I don't understand a thing about Erlang, though the patch
seemed to be easy to backport (small patch, easy to understand where to
patch).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload rabbitmq-server 4.0.5-6+deb13u2 to Trixie pu.
Cheers,
Thomas Goirand (zigo)
diff -Nru rabbitmq-server-4.0.5/debian/changelog rabbitmq-server-4.0.5/debian/changelog
--- rabbitmq-server-4.0.5/debian/changelog 2025-08-11 14:31:10.000000000 +0200
+++ rabbitmq-server-4.0.5/debian/changelog 2025-08-21 16:06:08.000000000 +0200
@@ -1,3 +1,16 @@
+rabbitmq-server (4.0.5-6+deb13u2) trixie; urgency=medium
+
+ * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
+ authorization headers in plaintext encoded in base64. When querying
+ RabbitMQ api with HTTP/s with basic authentication it creates logs with all
+ headers in request, including authorization headers which show base64
+ encoded username:password. This is easy to decode and afterwards could be
+ used to obtain control to the system depending on credentials.
+ Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
+ (Closes: #1108075)
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 21 Aug 2025 16:06:08 +0200
+
rabbitmq-server (4.0.5-6+deb13u1) trixie; urgency=medium
* Fix rabbitmq-server broken plugin versions by applying patch from the BTS.
diff -Nru rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch
--- rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch 1970-01-01 01:00:00.000000000 +0100
+++ rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch 2025-08-21 16:06:08.000000000 +0200
@@ -0,0 +1,166 @@
+Description: [PATCH] Fix Cowboy crashes caused by double reply
+ Issue introduced in 383ddb16341.
+Author: Loic Hoguin <loic.hoguin@broadcom.com>
+Date: Tue, 25 Mar 2025 12:33:00 +0100
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/rabbitmq/rabbitmq-server/pull/13612.patch
+Last-Update: 2025-08-18
+
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+@@ -51,6 +51,8 @@
+
+ -export([disable_stats/1, enable_queue_totals/1]).
+
++-export([set_resp_not_found/2]).
++
+ -import(rabbit_misc, [pget/2]).
+
+ -include("rabbit_mgmt.hrl").
+@@ -1175,3 +1177,18 @@ catch_no_such_user_or_vhost(Fun, Replace
+ %% error is thrown when the request is out of range
+ sublist(List, S, L) when is_integer(L), L >= 0 ->
+ lists:sublist(lists:nthtail(S-1, List), L).
++
++-spec set_resp_not_found(binary(), cowboy_req:req()) -> cowboy_req:req().
++set_resp_not_found(NotFoundBin, ReqData) ->
++ ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
++ not_found ->
++ <<"vhost_not_found">>;
++ _ ->
++ NotFoundBin
++ end,
++ ReqData1 = cowboy_req:set_resp_header(
++ <<"content-type">>, <<"application/json">>, ReqData),
++ cowboy_req:set_resp_body(rabbit_json:encode(#{
++ <<"error">> => <<"not_found">>,
++ <<"reason">> => ErrorMessage
++ }), ReqData1).
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+ {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+
+-resource_exists(ReqData, Context) ->
+- {case rabbit_mgmt_wm_exchange:exchange(ReqData) of
+- not_found -> raise_not_found(ReqData, Context);
+- _ -> true
+- end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++ case rabbit_mgmt_wm_exchange:exchange(ReqData0) of
++ not_found ->
++ ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"exchange_not_found">>, ReqData0),
++ {false, ReqData1, Context};
++ _ ->
++ {true, ReqData0, Context}
++ end.
+
+ allow_missing_post(ReqData, Context) ->
+ {false, ReqData, Context}.
+@@ -104,18 +107,6 @@ bad({{coordinator_unavailable, _}, _}, R
+ is_authorized(ReqData, Context) ->
+ rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+
+-raise_not_found(ReqData, Context) ->
+- ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+- not_found ->
+- "vhost_not_found";
+- _ ->
+- "exchange_not_found"
+- end,
+- rabbit_mgmt_util:not_found(
+- rabbit_data_coercion:to_binary(ErrorMessage),
+- ReqData,
+- Context).
+-
+ %%--------------------------------------------------------------------
+
+ decode(Payload, <<"string">>) -> Payload;
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+@@ -25,11 +25,14 @@ variances(Req, Context) ->
+ allowed_methods(ReqData, Context) ->
+ {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
+
+-resource_exists(ReqData, Context) ->
+- {case rabbit_mgmt_wm_queue:queue(ReqData) of
+- not_found -> raise_not_found(ReqData, Context);
+- _ -> true
+- end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++ case rabbit_mgmt_wm_queue:queue(ReqData0) of
++ not_found ->
++ ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++ {false, ReqData1, Context};
++ _ ->
++ {true, ReqData0, Context}
++ end.
+
+ allow_missing_post(ReqData, Context) ->
+ {false, ReqData, Context}.
+@@ -54,17 +57,6 @@ do_it(ReqData0, Context) ->
+ is_authorized(ReqData, Context) ->
+ rabbit_mgmt_util:is_authorized_admin(ReqData, Context).
+
+-raise_not_found(ReqData, Context) ->
+- ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+- not_found ->
+- "vhost_not_found";
+- _ ->
+- "queue_not_found"
+- end,
+- rabbit_mgmt_util:not_found(
+- rabbit_data_coercion:to_binary(ErrorMessage),
+- ReqData,
+- Context).
+ %%--------------------------------------------------------------------
+
+ action(Else, _Q, ReqData, Context) ->
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+ {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+
+-resource_exists(ReqData, Context) ->
+- {case rabbit_mgmt_wm_queue:queue(ReqData) of
+- not_found -> raise_not_found(ReqData, Context);
+- _ -> true
+- end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++ case rabbit_mgmt_wm_queue:queue(ReqData0) of
++ not_found ->
++ ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++ {false, ReqData1, Context};
++ _ ->
++ {true, ReqData0, Context}
++ end.
+
+ allow_missing_post(ReqData, Context) ->
+ {false, ReqData, Context}.
+@@ -152,17 +155,6 @@ basic_get(Ch, Q, AckMode, Enc, Trunc) ->
+ is_authorized(ReqData, Context) ->
+ rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+
+-raise_not_found(ReqData, Context) ->
+- ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+- not_found ->
+- "vhost_not_found";
+- _ ->
+- "queue_not_found"
+- end,
+- rabbit_mgmt_util:not_found(
+- rabbit_data_coercion:to_binary(ErrorMessage),
+- ReqData,
+- Context).
+ %%--------------------------------------------------------------------
+
+ maybe_truncate(Payload, none) -> Payload;
diff -Nru rabbitmq-server-4.0.5/debian/patches/series rabbitmq-server-4.0.5/debian/patches/series
--- rabbitmq-server-4.0.5/debian/patches/series 2025-08-11 14:31:10.000000000 +0200
+++ rabbitmq-server-4.0.5/debian/patches/series 2025-08-21 16:06:08.000000000 +0200
@@ -1,3 +1,4 @@
lets-use-python3-not-python-binary.patch
rabbitmq-dist.mk.patch
elixir-1.18-compat.patch
+CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch
--- End Message ---