Skip to content

[AutoPR- Security] Patch rabbitmq-server for CVE-2026-43966, CVE-2026-44839 [MEDIUM]#17919

Open
azurelinux-security wants to merge 3 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/rabbitmq-server/3.0/1154297
Open

[AutoPR- Security] Patch rabbitmq-server for CVE-2026-43966, CVE-2026-44839 [MEDIUM]#17919
azurelinux-security wants to merge 3 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/rabbitmq-server/3.0/1154297

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 6, 2026

Copy link
Copy Markdown

Auto Patch rabbitmq-server for CVE-2026-43966, CVE-2026-44839.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1154297&view=results
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1159166&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

  • Auto Patch rabbitmq-server for CVE-2026-43966 (LOW), CVE-2026-44839 (MEDIUM).
Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@v-aaditya

v-aaditya commented Jul 10, 2026

Copy link
Copy Markdown

Buddy Build has been triggered and it has passed.

@v-swapsahu

Copy link
Copy Markdown

Patch Analysis:

  • AutoPR initially included one patch, but the upstream covers both cowboy and gun. The cowboy fix was applied in the upstream style, while the gun fix was manually backported because this package uses gun 1.3.3 and upstream fixed gun 2.4.1.

  • In RabbitMQ package, the effective cowlib version is 2.13.0, which falls within the affected range, so both dependent paths such as cowboy and gun were considered during the fix.

image (1)
  • Why maps:without is used in the Gun Backport
    invalid_request_headers is handled in gun.erl, not in gun_ws.erl. If you pass it directly to gun_ws:check_options, older gun_ws rejects it as an unknown option.

To avoid that regression, the backport uses:

WsOpts = maps:without([invalid_request_headers], WsOpts0),

@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 13, 2026 02:56
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 13, 2026 02:56
@Kanishk-Bansal

Copy link
Copy Markdown

check the indentation in the patch, also don't we need test files, or they are absent in our source?

@v-swapsahu

Copy link
Copy Markdown

Backported: YES.

Verified the RabbitMQ 3.13.7 source patch against the upstream commit. The patch does not have any indentation issues and matches the upstream formatting.

For tests, the source package does not include the upstream Erlang Common Test suites. In this tree, there are no *_SUITE.erl files and no files under deps/**/test/**, so there are no relevant test files available to update as part of this patch.

azurelinux-security and others added 2 commits July 13, 2026 08:37
Signed-off-by: Swapnil Sahu <v-swapsahu@microsoft.com>
@Kanishk-Bansal Kanishk-Bansal force-pushed the azure-autosec/rabbitmq-server/3.0/1154297 branch from 1351df0 to 8606c02 Compare July 13, 2026 08:37

@Kanishk-Bansal Kanishk-Bansal left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch Analysis (the cowboy commit matches upstream, gun (deps/gun/src/gun.erl) core security logic matches upstream. the other files which are not for CVE fix are ommitted as those files are absent in our source code)

  • Buddy Build 
  • patch applied during the build (check rpm.log)
  • patch include an upstream reference
  • PR has security tag

@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Jul 13, 2026
@azurelinux-security azurelinux-security changed the title [AutoPR- Security] Patch rabbitmq-server for CVE-2026-43966 [LOW] [AutoPR- Security] Patch rabbitmq-server for CVE-2026-43966, CVE-2026-44839 [MEDIUM] Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 AI Backport AutoPR-Security Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants