-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 21 Aug 2025 16:06:08 +0200 Source: rabbitmq-server Architecture: source Version: 4.0.5-6+deb13u2 Distribution: trixie Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1108075 Changes: rabbitmq-server (4.0.5-6+deb13u2) trixie; urgency=medium . * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch. (Closes: #1108075) Checksums-Sha1: a71609d8613b3f4d24d74051737c106a75d87e6c 2990 rabbitmq-server_4.0.5-6+deb13u2.dsc 5b1399d3073c488047895fcb1a194985c49944b9 36524 rabbitmq-server_4.0.5-6+deb13u2.debian.tar.xz 95e42a2b98d5b57bfe43ee916ef6716c70b7c7cf 8109 rabbitmq-server_4.0.5-6+deb13u2_amd64.buildinfo Checksums-Sha256: 3ef90676b3f0fed38338c20e13438c1504716c8c10d92f28e215ddaf4173e7ab 2990 rabbitmq-server_4.0.5-6+deb13u2.dsc e18d564475fd10f418140b85c02754cd97bded737c5b60e987d1ff36787ae3bf 36524 rabbitmq-server_4.0.5-6+deb13u2.debian.tar.xz 16afd8afe92b873cd41b91f088561b7a3c7138c0c6905857a9a009004c9f5c69 8109 rabbitmq-server_4.0.5-6+deb13u2_amd64.buildinfo Files: 450b0d9e0640af094ee7a7c317cc0254 2990 net optional rabbitmq-server_4.0.5-6+deb13u2.dsc f019f7ed241d928d5ea26145e5e4b501 36524 net optional rabbitmq-server_4.0.5-6+deb13u2.debian.tar.xz e89848bfbd9f6d3d1685028a03c2db95 8109 net optional rabbitmq-server_4.0.5-6+deb13u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkH2uMACgkQ1BatFaxr Q/4UHQ/6A5PrOOUTDHpp+oEEyYHTBehdQTcPsy7Tg6BxmZ7Qw0kLkL34t/VfmduS hCcO6RI3Pqaox8/Jj5oS6mP51yuKG1zG+90N8+jJGLfHjWA5a0rT9CakFNGiugEq 0/4yLlO8JztPZBu58QWa6Vb6/GOI7swVkwzoI9uNCF40DRa0tliikgka/T8j6HuQ m4cWj+KV5TzyurbqXJXk7BHoMkBKD3Ob63ue+ATKFAr7zsS6C7B8n9F8BqYSRIp8 nszh9QGQ05WWJ7pcdccvuKT+PAYkSSolour7J7gf6vtkOJom7/rA138uy/3iAhrR dQ+0h11yiWRamCeTdhnH50f09Hm1jzkfaMylEuiFcX/K4aMIhh7nj1dTFAhlkceD kenpQY25tXnGFS/gszPCqexesk6rqxOALJNS/Vyj+XqwQl6423U21rCVl9akOSgl 2G+CdP+/xKf2UBQ2FDMAjXoTNwZjHKiKdW65TXaQBdx8X+Hgp2oQVMGztJJ+z89p NLu7AI14aHDc19TMWN3hFmuWAsyPNEsKt22TtPVI7JAtsZw7xzB4JvLVcbdJnaMd rINJkAYICY/XSK0fftcrVtPhfflkrBVlVijj9jV1EZVnXx8dmFzveAk940x9elWF ey0y+IXRe93GVQn/cXxL8TZMwyKamDVl0uQPtvflWLBLp96vpj8= =23IX -----END PGP SIGNATURE-----