diff -Nru rabbitmq-server-3.5.7/debian/changelog rabbitmq-server-3.5.7/debian/changelog --- rabbitmq-server-3.5.7/debian/changelog 2016-01-18 14:05:55.000000000 +0000 +++ rabbitmq-server-3.5.7/debian/changelog 2017-07-27 18:38:31.000000000 +0000 @@ -1,3 +1,22 @@ +rabbitmq-server (3.5.7-1ubuntu0.16.04.2) xenial-security; urgency=medium + + * SECURITY UPDATE: authentication bypass (LP: #1706900) + - debian/patches/CVE-2016-9877.patch: fix password check in + plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl, add test to + plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java, + fix URL in plugins-src/rabbitmq-mqtt/test/Makefile. + - CVE-2016-9877 + + -- Marc Deslauriers Thu, 27 Jul 2017 14:36:17 -0400 + +rabbitmq-server (3.5.7-1ubuntu0.16.04.1) xenial; urgency=medium + + * debian/patches/0001-Remove-custom-stderr-formatting.patch: [PATCH] + Remove custom stderr formatting. Thanks to Alexey Lebedeff + . Closes LP: #1634989. + + -- Jon Grimm Tue, 28 Mar 2017 15:59:39 -0700 + rabbitmq-server (3.5.7-1) unstable; urgency=medium * New upstream release. diff -Nru rabbitmq-server-3.5.7/debian/control rabbitmq-server-3.5.7/debian/control --- rabbitmq-server-3.5.7/debian/control 2016-01-18 14:05:55.000000000 +0000 +++ rabbitmq-server-3.5.7/debian/control 2017-03-28 22:59:36.000000000 +0000 @@ -1,7 +1,8 @@ Source: rabbitmq-server Section: net Priority: extra -Maintainer: PKG OpenStack +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: PKG OpenStack Uploaders: James Page , Thomas Goirand Build-Depends: debhelper (>= 9~), dh-systemd (>= 1.5), diff -Nru rabbitmq-server-3.5.7/debian/patches/0001-Remove-custom-stderr-formatting.patch rabbitmq-server-3.5.7/debian/patches/0001-Remove-custom-stderr-formatting.patch --- rabbitmq-server-3.5.7/debian/patches/0001-Remove-custom-stderr-formatting.patch 1970-01-01 00:00:00.000000000 +0000 +++ rabbitmq-server-3.5.7/debian/patches/0001-Remove-custom-stderr-formatting.patch 2017-03-28 22:59:36.000000000 +0000 @@ -0,0 +1,43 @@ +From b5c84387e80a64b220414c7d58fb8162719c69f0 Mon Sep 17 00:00:00 2001 +From: Alexey Lebedeff +Date: Fri, 12 Feb 2016 17:19:32 +0300 +Subject: [PATCH] Remove custom stderr formatting +Bug-Ubuntu: https://launchpad.net/bugs/1634989 + +Opening several ports for single fd is considered undefined behaviour in +erlang. It's safe to replace this whole function with `io:format` when +erlang 17 or later is used. Because writing to standard_error with +io:format is synchronous - after this call has returned data was +definitely sent to the port. And `erlang:halt/` guarantees that this +data will be flushed afterwards. +--- + src/rabbit_misc.erl | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/src/rabbit_misc.erl b/src/rabbit_misc.erl +index b744137..35e5c10 100644 +--- a/src/rabbit_misc.erl ++++ b/src/rabbit_misc.erl +@@ -655,18 +655,7 @@ format_many(List) -> + lists:flatten([io_lib:format(F ++ "~n", A) || {F, A} <- List]). + + format_stderr(Fmt, Args) -> +- case os:type() of +- {unix, _} -> +- Port = open_port({fd, 0, 2}, [out]), +- port_command(Port, io_lib:format(Fmt, Args)), +- port_close(Port); +- {win32, _} -> +- %% stderr on Windows is buffered and I can't figure out a +- %% way to trigger a fflush(stderr) in Erlang. So rather +- %% than risk losing output we write to stdout instead, +- %% which appears to be unbuffered. +- io:format(Fmt, Args) +- end, ++ io:format(standard_error, Fmt, Args), + ok. + + unfold(Fun, Init) -> +-- +2.10.2 + diff -Nru rabbitmq-server-3.5.7/debian/patches/CVE-2016-9877.patch rabbitmq-server-3.5.7/debian/patches/CVE-2016-9877.patch --- rabbitmq-server-3.5.7/debian/patches/CVE-2016-9877.patch 1970-01-01 00:00:00.000000000 +0000 +++ rabbitmq-server-3.5.7/debian/patches/CVE-2016-9877.patch 2017-07-27 18:36:06.000000000 +0000 @@ -0,0 +1,126 @@ +From 157948d86d391a325ac9702f78976c175ced58be Mon Sep 17 00:00:00 2001 +From: Daniil Fedotov +Date: Mon, 5 Sep 2016 12:33:49 +0100 +Subject: [PATCH] Auth issue fix 039a3c22e57bf77b325d19494a9b20cd745f1ea7 + backport + +--- + src/rabbit_mqtt_processor.erl | 63 ++++++++++++++------------- + test/Makefile | 2 +- + test/src/com/rabbitmq/mqtt/test/MqttTest.java | 12 +++++ + 3 files changed, 45 insertions(+), 32 deletions(-) + +diff --git a/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl b/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl +index c84bb4a..83bb8fa 100644 +--- a/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl ++++ b/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl +@@ -72,7 +72,13 @@ process_request(?CONNECT, + _ -> + case creds(Username, Password, SSLLoginName) of + nocreds -> +- rabbit_log:error("MQTT login failed - no credentials~n"), ++ rabbit_log:error("MQTT login failed: no credentials provided~n"), ++ {?CONNACK_CREDENTIALS, PState}; ++ {invalid_creds, {undefined, Pass}} when is_list(Pass) -> ++ rabbit_log:error("MQTT login failed: no user username is provided"), ++ {?CONNACK_CREDENTIALS, PState}; ++ {invalid_creds, {User, undefined}} when is_list(User) -> ++ rabbit_log:error("MQTT login failed for ~p: no password provided", [User]), + {?CONNACK_CREDENTIALS, PState}; + {UserBin, PassBin} -> + case process_login(UserBin, PassBin, ProtoVersion, PState) of +@@ -373,36 +379,31 @@ creds(User, Pass, SSLLoginName) -> + DefaultPass = rabbit_mqtt_util:env(default_pass), + {ok, Anon} = application:get_env(?APP, allow_anonymous), + {ok, TLSAuth} = application:get_env(?APP, ssl_cert_login), +- U = case {User =/= undefined, +- is_binary(DefaultUser), +- Anon =:= true, +- (TLSAuth andalso SSLLoginName =/= none)} of +- %% username provided +- {true, _, _, _} -> list_to_binary(User); +- %% anonymous, default user is configured, no TLS +- {false, true, true, false} -> DefaultUser; +- %% no username provided, TLS certificate is present, +- %% rabbitmq_mqtt.ssl_cert_login is true +- {false, _, _, true} -> SSLLoginName; +- _ -> nocreds +- end, +- case U of +- nocreds -> +- nocreds; +- _ -> +- case {Pass =/= undefined, +- is_binary(DefaultPass), +- Anon =:= true, +- TLSAuth} of +- %% password provided +- {true, _, _, _} -> {U, list_to_binary(Pass)}; +- %% password not provided, TLS certificate is present, +- %% rabbitmq_mqtt.ssl_cert_login is true +- {false, _, _, true} -> {U, none}; +- %% anonymous, default password is configured +- {false, true, true, _} -> {U, DefaultPass}; +- _ -> {U, none} +- end ++ HaveDefaultCreds = Anon =:= true andalso ++ is_binary(DefaultUser) andalso ++ is_binary(DefaultPass), ++ ++ CredentialsProvided = User =/= undefined orelse ++ Pass =/= undefined, ++ ++ CorrectCredentials = is_list(User) andalso ++ is_list(Pass), ++ ++ SSLLoginProvided = TLSAuth =:= true andalso ++ SSLLoginName =/= none, ++ ++ case {CredentialsProvided, CorrectCredentials, SSLLoginProvided, HaveDefaultCreds} of ++ %% Username and password take priority ++ {true, true, _, _} -> {list_to_binary(User), ++ list_to_binary(Pass)}; ++ %% Either username or password is provided ++ {true, false, _, _} -> {invalid_creds, {User, Pass}}; ++ %% rabbitmq_mqtt.ssl_cert_login is true. SSL user name provided. ++ %% Authenticating using username only. ++ {false, false, true, _} -> {SSLLoginName, none}; ++ %% Anonymous connection uses default credentials ++ {false, false, false, true} -> {DefaultUser, DefaultPass}; ++ _ -> nocreds + end. + + supported_subs_qos(?QOS_0) -> ?QOS_0; +diff --git a/plugins-src/rabbitmq-mqtt/test/Makefile b/plugins-src/rabbitmq-mqtt/test/Makefile +index 190e740..9350fc0 100644 +--- a/plugins-src/rabbitmq-mqtt/test/Makefile ++++ b/plugins-src/rabbitmq-mqtt/test/Makefile +@@ -1,4 +1,4 @@ +-UPSTREAM_GIT=https://git.eclipse.org/gitroot/paho/org.eclipse.paho.mqtt.java.git ++UPSTREAM_GIT=https://github.com/eclipse/paho.mqtt.java.git + REVISION=00b5b2f99ae8410b7d96d106e080a092c5f92546 + + JC=javac +diff --git a/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java b/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java +index 01f1d07..839726b 100644 +--- a/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java ++++ b/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java +@@ -222,6 +222,18 @@ public void testInvalidPassword() throws MqttException { + } + } + ++ public void testEmptyPassword() throws MqttException { ++ MqttClient c = new MqttClient(brokerUrl, clientId, null); ++ MqttConnectOptions opts = new MyConnOpts(); ++ opts.setUserName("guest"); ++ opts.setPassword(null); ++ try { ++ c.connect(opts); ++ fail("Authentication failure expected"); ++ } catch (MqttException ex) { ++ Assert.assertEquals(MqttException.REASON_CODE_FAILED_AUTHENTICATION, ex.getReasonCode()); ++ } ++ } + + public void testSubscribeQos0() throws MqttException, InterruptedException { + client.connect(conOpt); diff -Nru rabbitmq-server-3.5.7/debian/patches/series rabbitmq-server-3.5.7/debian/patches/series --- rabbitmq-server-3.5.7/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ rabbitmq-server-3.5.7/debian/patches/series 2017-07-27 18:34:42.000000000 +0000 @@ -0,0 +1,2 @@ +0001-Remove-custom-stderr-formatting.patch +CVE-2016-9877.patch