Date: Tue, 27 Jan 2015 11:33:28 -0500 (EST) From: cve-assign@...re.org To: Marc Deslauriers <marc.deslauriers@...onical.com> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE Request: XSS and response-splitting bugs in rabbitmq management plugin > Hello, > > The following issues were fixed in RabbitMQ 3.4.1: > > (as described in > https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs ) > > 26437 prevent /api/* from returning text/html error messages which could > act as an XSS vector (since 2.1.0) Use CVE-2014-9649. > 26433 fix response-splitting vulnerability in /api/downloads > (since 2.1.0) Use CVE-2014-9650. > Bug 26437 allowed an attacker to create a URL to "/api/..." which would > provoke an internal server error, resulting in the server returning an > html page with text from the URL embedded and not escaped. This was > fixed by ensuring all URLs below /api/ only ever return responses with a > content type of application/json, even in the case of an internal server > error. > > Bug 26433 allowed an attacker to specify a URL to /api/definitions which > would cause an arbitrary additional header to be returned. This was > fixed by stripping out CR/LF from the "download" query string parameter. > > > Fixed by: > https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad > > Could CVEs please be assigned to these issue? > > Thanks, > > Marc. > > -- > Marc Deslauriers > Ubuntu Security Engineer | http://www.ubuntu.com/ > Canonical Ltd. | http://www.canonical.com/ --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ