Overview

File _patchinfo of Package patchinfo.34194

<patchinfo incident="34194">
  <issue tracker="bnc" id="1222591">rabbitmqctl command for add_user is broken</issue>
  <issue tracker="bnc" id="1205267">VUL-0: CVE-2022-31008: rabbitmq-server: rabbitmq-server: URI encryption with predictable secret seed</issue>
  <issue tracker="bnc" id="1187818">VUL-1: CVE-2021-32718: rabbitmq-server: improper neutralization of script-related HTML tagsin a web page (basic XSS) in management UI</issue>
  <issue tracker="bnc" id="1181400">AUDIT-TASK: Evaluate systemd hardenings and get more services to use them</issue>
  <issue tracker="bnc" id="1186203">VUL-0: CVE-2021-22116: rabbitmq-server: improper input validation may lead to DoS</issue>
  <issue tracker="bnc" id="1199431">RabbitMQ maintenance status issue</issue>
  <issue tracker="bnc" id="1219532">[Build 20240202] openQA test fails in rabbitmq</issue>
  <issue tracker="bnc" id="1187819">VUL-0: CVE-2021-32719: rabbitmq-server: improper neutralization of script-related HTML tags in a web page (basic XSS) in federation management plugin</issue>
  <issue tracker="bnc" id="1185075">/var/run in/usr/lib/tmpfiles.d/rabbitmq-server.conf is deprecated, please use /run instead</issue>
  <issue tracker="bnc" id="1216582">VUL-0: CVE-2023-46118: rabbitmq-server: HTTP API did not enforce an HTTP request body limit</issue>
  <issue tracker="cve" id="2021-32719"/>
  <issue tracker="cve" id="2021-22116"/>
  <issue tracker="cve" id="2021-32718"/>
  <issue tracker="cve" id="2022-31008"/>
  <issue tracker="cve" id="2023-46118"/>
  <issue tracker="jsc" id="PED-8414"/>
  <packager>simotek</packager>
  <rating>important</rating>
  <category>feature</category>
  <summary>Feature update for rabbitmq-server313, erlang26, elixir115</summary>
  <description>This update for rabbitmq-server313, erlang26, elixir115 fixes the following issues:

rabbitmq-server was implemented with a parallel versioned RPM package at version 3.13.1 (jsc#PED-8414):
    
- Security issues fixed:

  * CVE-2021-22116: Fixed improper input validation that may lead to Denial of Sercice (DoS) attacks (bsc#1186203)
  * CVE-2021-32718, CVE-2021-32719: Fixed potential for JavaScript code execution in the management UI 
    (bsc#1187818, bsc#1187819)
  * CVE-2022-31008: Fixed encryption key used to encrypt the URI was seeded with a predictable secret (bsc#1205267)
  * CVE-2023-46118: Fixed HTTP API vulnerability for denial of service (DoS) attacks with very large messages
    (bsc#1216582)
    
- Other bugs fixed:

  * Fixed RabbitMQ maintenance status issue (bsc#1199431)
  * Provide user/group for RPM 4.19 (bsc#1219532)
  * Fixed `rabbitmqctl` command for `add_user` (bsc#1222591)
  * Added hardening to systemd service(s) (bsc#1181400)
  * Use /run instead of deprecated /var/run in tmpfiles.conf (bsc#1185075)

- For the full list of upstream changes of this update between version 3.8.11 and 3.13.1 please consult:
  
  * https://www.rabbitmq.com/release-information
    
erlang26:

- Provide RPM package as it's a dependency of rabbitmq-server313 (jsc#PED-8414)

elixir115:
    
- Provide RPM package as needed in some cases by rabbitmq-server313 (jsc#PED-8414)

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places