Описание
Security update for rabbitmq-server
This update for rabbitmq-server fixes the following issues:
- CVE-2025-50200: prevented logging of Basic Auth header from HTTP requests (bsc#1245105)
- fixed a bad logrotate configuration that allowed escalation from rabbitmq to root, /var/log/rabbitmq ownership is now 750 (bsc#1246091)
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP6
erlang-rabbitmq-client-3.8.11-150300.3.22.2
rabbitmq-server-3.8.11-150300.3.22.2
rabbitmq-server-plugins-3.8.11-150300.3.22.2
SUSE Linux Enterprise Module for Server Applications 15 SP7
erlang-rabbitmq-client-3.8.11-150300.3.22.2
rabbitmq-server-3.8.11-150300.3.22.2
rabbitmq-server-plugins-3.8.11-150300.3.22.2
openSUSE Leap 15.6
erlang-rabbitmq-client-3.8.11-150300.3.22.2
rabbitmq-server-3.8.11-150300.3.22.2
rabbitmq-server-plugins-3.8.11-150300.3.22.2
Ссылки
- Link for SUSE-SU-2025:3809-1
- E-Mail link for SUSE-SU-2025:3809-1
- SUSE Security Ratings
- SUSE Bug 1245105
- SUSE Bug 1246091
- SUSE CVE CVE-2025-50200 page
Описание
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang-rabbitmq-client-3.8.11-150300.3.22.2
SUSE Linux Enterprise Module for Server Applications 15 SP6:rabbitmq-server-3.8.11-150300.3.22.2
SUSE Linux Enterprise Module for Server Applications 15 SP6:rabbitmq-server-plugins-3.8.11-150300.3.22.2
SUSE Linux Enterprise Module for Server Applications 15 SP7:erlang-rabbitmq-client-3.8.11-150300.3.22.2
Ссылки
- CVE-2025-50200
- SUSE Bug 1245105