(RHSA-2016:0308) Moderate: rabbitmq-server security and bugfix update

RabbitMQ is an implementation of AMQP, the emerging standard for high
performance enterprise messaging. The RabbitMQ server is a robust and
scalable implementation of an AMQP broker.

A cross-site scripting vulnerability was discovered in RabbitMQ, which
allowed using api/ path info to inject and receive data. A remote
attacker could use this flaw to create an “/api/…” URL, forcing a
server error that resulted in the server returning an HTML page with
embedded text from the URL (not escaped). (CVE-2014-9649)

A response-splitting vulnerability was discovered in RabbitMQ. An
/api/definitions URL could be specified, which then caused an arbitrary
additional header to be returned. A remote attacker could use this flaw
to inject arbitrary HTTP headers and possibly gain access to secure data.
(CVE-2014-9650)

This update also fixes the following bug:

• Previously, if the rabbit_mirror_queue_master did not return when using
  HA and ‘auto_delete’ queues, the RabbitMQ server blocked channels during
  termination. These channels would then have no associated connections and
  were displayed as ‘unknown’. This issue has been resolved. (BZ#1303747)

All rabbitmq-server users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.