CVE-2016-9877

Priority
Description
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12,
and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection
authentication with a username/password pair succeeds if an existing
username is provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided certificate are
not affected.
Notes
Package
Upstream:released (3.5.8, 3.6.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [3.2.4-1ubuntu0.1])
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.7-1ubuntu0.16.04.2)
Patches:
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/039a3c22e57bf77b325d19494a9b20cd745f1ea7 (3.7.0)
Upstream:https://github.com/rabbitmq/rabbitmq-mqtt/commit/157948d86d391a325ac9702f78976c175ced58be (3.5.8)
More Information

Updated: 2020-03-18 22:47:15 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)