CVE-2016-9877

Priority
High
Description
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12,
and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection
authentication with a username/password pair succeeds if an existing
username is provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided certificate are
not affected.
References
Bugs
Package
Upstream:released (3.5.8, 3.6.6)
Ubuntu 17.10 (Artful Aardvark):not-affected (3.6.6-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.2.4-1ubuntu0.1)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.7-1ubuntu0.16.04.2)
Ubuntu 17.04 (Zesty Zapus):not-affected (3.6.6-1)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7 (3.7.0)
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be (3.5.8)
More Information

Updated: 2017-08-11 23:55:32 UTC (commit 13081)