CVE-2016-9877 (retired)

Priority
Description
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12,
and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection
authentication with a username/password pair succeeds if an existing
username is provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided certificate are
not affected.
Notes
Package
Upstream:released (3.5.8, 3.6.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.7-1ubuntu0.16.04.2)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7 (3.7.0)
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be (3.5.8)
More Information

Updated: 2019-10-09 07:57:56 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)