@michaelklishin michaelklishin released this Nov 21, 2016 · 3562 commits to master since this release

Assets 48

RabbitMQ 3.5.8

RabbitMQ 3.5.8 fixes a security vulnerability (CVE-2016-9877) in the MQTT plugin.

Important: release 3.5.8 marks the final patch in the 3.5.x series. RabbitMQ 3.5.x is no longer maintained. Please plan on upgrading to 3.6.x and refer to the current version of RabbitMQ instead.

Server

Security

  • rabbit_diagnostics:maybe_stuck/0 no longer prints process' dictionary
    because it may contain PRNG seed values and other sensitive information.

MQTT Plugin

Security

  • Authentication with correct username but omitted password succeeded when TLS/x509 certificate
    wasn't provided by the client. CVE allocation for this vulnerability is pending.

    GitHub issue: rabbitmq-mqtt#96

Upgrading

To upgrade a non-clustered RabbitMQ simply install the new version. All configuration and persistent message data are retained.

To upgrade a RabbitMQ cluster, follow the instructions in RabbitMQ documentation.

Source code archives

Warning: The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.
Please download the archive named rabbitmq-3.5.8.tar.gz.