Security update for rabbitmq-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0306-1 Final 1 1 2017-01-27T17:27:01Z current 2017-01-27T17:27:01Z 2017-01-27T17:27:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rabbitmq-server This update for rabbitmq-server fixes the following issue: - CVE-2016-9877: An issue in Pivotal RabbitMQ caused connection authentication with a username/password pair to succeed if an existing username was provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate were not affected (bsc#1017642). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00064.html E-Mail link for openSUSE-SU-2017:0306-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 erlang-rabbitmq-client-3.5.8-3.2 rabbitmq-server-3.5.8-3.2 rabbitmq-server-plugins-3.5.8-3.2 erlang-rabbitmq-client-3.5.8-3.2 as a component of openSUSE Leap 42.2 rabbitmq-server-3.5.8-3.2 as a component of openSUSE Leap 42.2 rabbitmq-server-plugins-3.5.8-3.2 as a component of openSUSE Leap 42.2 An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. CVE-2016-9877 openSUSE Leap 42.2:erlang-rabbitmq-client-3.5.8-3.2 openSUSE Leap 42.2:rabbitmq-server-3.5.8-3.2 openSUSE Leap 42.2:rabbitmq-server-plugins-3.5.8-3.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00064.html https://www.suse.com/security/cve/CVE-2016-9877.html CVE-2016-9877 https://bugzilla.suse.com/1017642 SUSE Bug 1017642