MGASA-2015-0240

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0240.html

Import Source

https://advisories.mageia.org/MGASA-2015-0240.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2015-0240

Related

Published

2015-06-08T21:17:51Z

Modified

2026-02-04T02:18:52.163568Z

Summary

Updated rabbitmq-server packages fix security vulnerabilities

Details

Updated rabbitmq-server package fixes security vulnerabilities:

RabbitMQ before 3.4.1 does not prevent /api/* from returning text/html error messages which could act as an XSS vector (CVE-2014-9649).

RabbitMQ before 3.4.1 has a response-splitting vulnerability in /api/downloads (CVE-2014-9650).

In RabbitMQ before 3.4.3, some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI. An attacker could publish a specially crafted message, policy name, or client version to execute arbitrary Javascript code on behalf of a user who was viewing messages, policies, or connected clients in the management UI. In all cases, the attacker needs a valid user account on the targetted RabbitMQ cluster (CVE-2015-0862).

The rabbitmq-server package has been updated to version 3.5.3, fixing these issues and several other bugs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:4 / rabbitmq-server

Package

Name: rabbitmq-server
Purl: pkg:rpm/mageia/rabbitmq-server?arch=source&distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.3-1.mga4

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2015-0240.json"