File: 3.7.28.md

package info (click to toggle)
rabbitmq-server 4.0.5-6
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 37,948 kB
  • sloc: erlang: 257,835; javascript: 22,466; sh: 2,796; makefile: 2,517; python: 1,966; xml: 646; cs: 335; java: 244; ruby: 212; php: 100; perl: 63; awk: 13
file content (64 lines) | stat: -rw-r--r-- 2,993 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
## RabbitMQ 3.7.28

RabbitMQ `3.7.28` is a security patch release.


RabbitMQ `3.7.x` series are out of general support and covered by the [limited extended support policy](https://www.rabbitmq.com/versions.html)
through October 1st, 2020.
Please consider [upgrading](https://www.rabbitmq.com/upgrade.html) to [RabbitMQ `3.8.x`](https://www.rabbitmq.com/changelog.html).

RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center
for researching and responsibly disclosing the vulnerability addressed in this release.

### Erlang/OTP Compatibility Notes

This release [**no longer supports Erlang/OTP 20.3**](https://groups.google.com/d/msg/rabbitmq-users/G4UJ9zbIYHs/qCeyjkjyCQAJ).
Erlang `21.3+` is now a **hard requirement** checked on node startup.

Make sure a [supported Erlang version](https://www.rabbitmq.com/which-erlang.html) is used before upgrading.
[Provisioning Latest Erlang Releases](https://www.rabbitmq.com/which-erlang.html#erlang-repositories) explains
what package repositories and tools can be used to provision latest patch versions of Erlang `21.3.x` and `22.x`.

### Compatibility Notes

#### Upgrading to Erlang 21.x or Later Versions

When upgrading to this release **and upgrading Erlang to 21.x or later** at the same time, extra care has to be taken.
Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,
RabbitMQ **must be upgraded before Erlang**.

#### Upgrade Doc Guides and Change Log

See [3.7.0 release notes](https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.0) upgrade
and compatibility notes first if upgrading from an earlier release.

See the [Upgrading guide](https://www.rabbitmq.com/upgrade.html) for general documentation on upgrades
and [RabbitMQ change log](https://www.rabbitmq.com/changelog.html) for release notes of other releases.

### Getting Help

Any questions about this release, upgrades or RabbitMQ in general are welcome on the
[RabbitMQ mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users).


## Changes

### Core Server

#### Bug Fixes

 * Addressed a Windows-specific binary planting security vulnerability [CVE-2020-5419](https://tanzu.vmware.com/security/cve-2020-5419) that allowed for arbitrary code execution.
   The vulnerability requires the attacker to have local access and elevated privileges,
   and cannot be executed remotely.

   [CVSS score](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H): `6.7` (medium severity).

   This vulnerability was researched and [responsibly disclosed](https://www.rabbitmq.com/contact.html#security) by
   Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.



## Source code archives

**Warning**: The source code archive provided by GitHub only contains the source of the broker,
not the plugins or the client libraries. Please download the archive named `rabbitmq-server-3.7.28.tar.xz`.