Hello again, On Thu, Dec 12, 2024 at 06:42:47PM +0100, Florian Ernst wrote: > By its very nature (cf. the detailed description as linked above), this > vulnerability cannot be fixed with a drop-in replacement while keeping > the current user interface: if credentials have been entered on the > command line, they will remain visible to other local users on the same > system unless special precautions are taken. > > For that reason I have refrained from backporting the upstream patch to > Bookworm so far, because applying that patch would not fix those systems > where people have already configured / keep using ampq tools in that > way. Instead people would also need to individually fix their setups to > use the new command line option that the upstream patch adds. > > Changing interfaces in a stable release needs to be done with great > care. Given that this vulnerability is actually only of minor > importance, there was no pressing need to do so.
I have decided to provide an update for Bookworm after all. The reasoning can be found in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089984 and it is up to the Debian Stable Release Managers now to decide whether (and when, if at all) this will be accepted for Bookworm. In the meantime, for those actually affected by this vulnerability, you can find updated packages in https://people.debian.org/~florian/librabbitmq/ for manual downloading and testing, at your own risk. But remember, just updating the package does not remove the actual vulnerability if you were indeed affected, i.e. if you have indeed provided credentials on the command line. You will need to change your setup to make use of the newly available authfile option instead. Without doing so, you will just hide the vulnerability from the usual vulnerability scanners but not fix it, making the situation actually worse than before. HTH, Flo
signature.asc
Description: PGP signature
