Bug#1002956: Remote RCE in rabbitmq-server

To: Tim Abbott <tabbott@zulipchat.com>
Cc: 1002956@bugs.debian.org
Subject: Bug#1002956: Remote RCE in rabbitmq-server
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 5 Aug 2022 10:54:58 +0200
Message-id: <[🔎] b72c2448-84da-795d-1d7f-c05b1aab7acc@debian.org>
Reply-to: Thomas Goirand <zigo@debian.org>, 1002956@bugs.debian.org
In-reply-to: <[🔎] CAJFukobBLtk80i2Dr8eEjAWH-hVi_T0tZgAOYCd8ekHRP787Hw@mail.gmail.com>
References: <YeCRxhTLuuednKvP@eldamar.lan> <CA+nfF6Zr-R1wEW9PfFaDwP4eNdpNipVzJiQokJb6+Cx0NNZzFg@mail.gmail.com> <43faa264-2061-347c-a04b-5f0cd625611a@debian.org> <CAJFukoY40L4hOuHW2=NEu5786K_unFpgSud4QTVegAJETLd01g@mail.gmail.com> <472f441e-a1c7-bc91-e16a-c41ab34666dd@debian.org> <CA+nfF6ZHatNLpff3zG0x1_9v+vWe_+Dcs16bk9Vx-mVmA8c-mA@mail.gmail.com> <e3104735-6310-4125-5b83-c83074e73e98@debian.org> <CAJFukoZExjxU1dGo1rZh3VkHG_O7oHLfk6CAx_vGcRgLTzWsHA@mail.gmail.com> <29d5d52c-b640-ce2f-c956-7961e38891d7@debian.org> <YfUHKQBU9OT0qtwe@eldamar.lan> <ccace2a8-2853-c6de-8697-3a959743bebb@debian.org> <CAJFukoaFPmJGwpMGCLW9n2MiGRAv0cEAs41i4=zk-e6mMAAT-w@mail.gmail.com> <707158ea-ab83-69c2-45e3-eacdf6c548d8@debian.org> <CAJFukoYVc6P09VEN9tM0yXQd0q7sWH=roorp5FdytD8s+GFbog@mail.gmail.com> <CAJFukobjnqtaYjtBO6FY=54ESD2fu0HxLr0V6OLzvWKZqtGo-w@mail.gmail.com> <[🔎] ba9f4d0a-86fc-3b75-6d2a-ec7303994274@debian.org> <[🔎] CAJFukobBLtk80i2Dr8eEjAWH-hVi_T0tZgAOYCd8ekHRP787Hw@mail.gmail.com> <164105986290.32321.15 379237310679263189.reportbug@zbuz.infomaniak.ch>

On 8/5/22 01:24, Tim Abbott wrote:

On Wed, Aug 3, 2022 at 12:22 AM Thomas Goirand <zigo@debian.org<mailto:zigo@debian.org>> wrote:


    Hi Tim,

    Please don't top-post, we don't do that in Debian, and also:


Apologies!

    FYI, I'm sad too, but there's nothing I can do but pinging again the
    stable release team about this. You hear me well: the stable release
    team. Not the security team since they do not want to do a security
    announcement and an update through stable-security (so it shall be done
    through a point release, dealing with the stable release team).

    This means writing to 1002956@bugs.debian.org
    <mailto:1002956@bugs.debian.org>. That's the only email
    address that has influence on accepting the fixed version. Feel free to
    ping that email address until you get a reply. I agree that no reply
    since the 29th of Jan is sad...

I still don't understand why the determination was made to not do asecurity announcement for this bug, given that it makes a Debian systemthat installs this package vulnerable to remote RCE without manualintervention.

What was discussed with the security team, is that the most commonpractice is to never expose a RabbitMQ cluster to the internet. Webelieve most server administrator know it (at least, that's the point ofview of the security team, but not necessarily mine...).

But given that determination was made, perhaps the best way I cancontribute is by making sure this bug thread links tohttps://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq<https://blog.zulip.com/2022/01/25/zulip-server-4-9-security-release/#cve-2021-43799-remote-code-execution-vulnerability-involving-rabbitmq>,which has a bunch of public context about the impact of this bug, aswell as background explanation that may help release managers who don'tknow much about Erlang/RabbitMQ.

Convincing the stable release team that we must do an update by writingin this bug entry, is exactly what should be done, indeed.


Dear stable release team, can we have your opinion here?

Cheers,

Thomas Goirand (zigo)

Reply to:

References:
- Bug#1002956: Remote RCE in rabbitmq-server
  - From: Thomas Goirand <zigo@debian.org>
- Bug#1002956: Remote RCE in rabbitmq-server
  - From: Tim Abbott <tabbott@zulipchat.com>

Prev by Date: Bug#1016672: bullseye-pu: package grub2/2.06-3~deb11u1
Next by Date: Bug#1016198: buster-pu: package gif2apng/1.9+srconly-2+deb10u1
Previous by thread: Bug#1002956: Remote RCE in rabbitmq-server
Next by thread: Bug#1016576: transition: glibc 2.34
Index(es):
- Date
- Thread