Date: Tue, 27 Jan 2015 11:33:28 -0500 (EST) From: cve-assign@...re.org To: Marc Deslauriers <marc.deslauriers@...onical.com> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE Request: XSS and response-splitting bugs in rabbitmq management plugin > Hello, > > The following issues were fixed in RabbitMQ 3.4.1: > > (as described in > https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs ) > > 26437 prevent /api/* from returning text/html error messages which could > act as an XSS vector (since 2.1.0) Use CVE-2014-9649. > 26433 fix response-splitting vulnerability in /api/downloads > (since 2.1.0) Use CVE-2014-9650. > Bug 26437 allowed an attacker to create a URL to "/api/..." which would > provoke an internal server error, resulting in the server returning an > html page with text from the URL embedded and not escaped. This was > fixed by ensuring all URLs below /api/ only ever return responses with a > content type of application/json, even in the case of an internal server > error. > > Bug 26433 allowed an attacker to specify a URL to /api/definitions which > would cause an arbitrary additional header to be returned. This was > fixed by stripping out CR/LF from the "download" query string parameter. > > > Fixed by: > https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad > > Could CVEs please be assigned to these issue? > > Thanks, > > Marc. > > -- > Marc Deslauriers > Ubuntu Security Engineer | http://www.ubuntu.com/ > Canonical Ltd. | http://www.canonical.com/ --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.