RabbitMQ is an implementation of AMQP, the emerging standard for high performance enterprise messaging. The RabbitMQ server is a robust and scalable implementation of an AMQP broker. A cross-site scripting vulnerability was discovered in RabbitMQ, which allowed using api/ path info to inject and receive data. A remote attacker could use this flaw to create an “/api/…” URL, forcing a server error that resulted in the server returning an HTML page with embedded text from the URL (not escaped). (CVE-2014-9649) A response-splitting vulnerability was discovered in RabbitMQ. An /api/definitions URL could be specified, which then caused an arbitrary additional header to be returned. A remote attacker could use this flaw to inject arbitrary HTTP headers and possibly gain access to secure data. (CVE-2014-9650) This update also fixes the following bug: * Previously, if the rabbit_mirror_queue_master did not return when using HA and ‘auto_delete’ queues, the RabbitMQ server blocked channels during termination. These channels would then have no associated connections and were displayed as ‘unknown’. This issue has been resolved. (BZ#1303747) All rabbitmq-server users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
rhn.redhat.com/errata/RHSA-2016-0308.html
www.openwall.com/lists/oss-security/2015/01/21/13
www.rabbitmq.com/release-notes/README-3.4.1.txt
www.securityfocus.com/bid/76091
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1303747
groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
rhn.redhat.com/errata/RHSA-2016-0308.html