Skip to content

RabbitMQ 3.5.8

Compare
Choose a tag to compare
@michaelklishin michaelklishin released this 21 Nov 11:24
rabbitmq_v3_5_8
5198eab
This commit was signed with the committer’s verified signature.
michaelklishin Michael Klishin
GPG key ID: E80EDCFA0CDB21EE
Learn about vigilant mode.

RabbitMQ 3.5.8

RabbitMQ 3.5.8 fixes a security vulnerability (CVE-2016-9877) in the MQTT plugin.

Important: release 3.5.8 marks the final patch in the 3.5.x series. RabbitMQ 3.5.x is no longer maintained. Please plan on upgrading to 3.6.x and refer to the current version of RabbitMQ instead.

Server

Security

  • rabbit_diagnostics:maybe_stuck/0 no longer prints process' dictionary
    because it may contain PRNG seed values and other sensitive information.

MQTT Plugin

Security

  • Authentication with correct username but omitted password succeeded when TLS/x509 certificate
    wasn't provided by the client. CVE allocation for this vulnerability is pending.

    GitHub issue: rabbitmq-mqtt#96

Upgrading

To upgrade a non-clustered RabbitMQ simply install the new version. All configuration and persistent message data are retained.

To upgrade a RabbitMQ cluster, follow the instructions in RabbitMQ documentation.

Source code archives

Warning: The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.
Please download the archive named rabbitmq-3.5.8.tar.gz.

Assets 48