RabbitMQ v3.7.28 Release Notes

Release Date: 2020-08-17 // over 3 years ago
  • RabbitMQ 3.7.28

    ๐Ÿš€ RabbitMQ 3.7.28 is a security patch release.

    ๐Ÿ‘ RabbitMQ 3.7.x series are out of general support and covered by the limited extended support policy
    through October 1st, 2020.
    โฌ†๏ธ Please consider upgrading to RabbitMQ 3.8.x.

    ๐Ÿ”’ RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center
    ๐Ÿš€ for researching and responsibly disclosing the vulnerability addressed in this release.

    Erlang/OTP Compatibility Notes

    ๐Ÿ‘ This release no longer supports Erlang/OTP 20.3.
    Erlang 21.3+ is now a hard requirement checked on node startup.

    โฌ†๏ธ Make sure a supported Erlang version is used before upgrading.
    ๐Ÿš€ Provisioning Latest Erlang Releases explains
    ๐Ÿ“ฆ what package repositories and tools can be used to provision latest patch versions of Erlang 21.3.x and 22.x.

    Compatibility Notes

    โฌ†๏ธ Upgrading to Erlang 21.x or Later Versions

    โฌ†๏ธ When upgrading to this release and upgrading Erlang to 21.x or later at the same time, extra care has to be taken.
    ๐Ÿš€ Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,
    โฌ†๏ธ RabbitMQ must be upgraded before Erlang.

    โฌ†๏ธ Upgrade Doc Guides and Change Log

    ๐Ÿš€ See 3.7.0 release notes upgrade
    ๐Ÿš€ and compatibility notes first if upgrading from an earlier release.

    ๐Ÿ“š See the Upgrading guide for general documentation on upgrades
    ๐Ÿš€ and RabbitMQ change log for release notes of other releases.

    Getting Help

    ๐Ÿš€ Any questions about this release, upgrades or RabbitMQ in general are welcome on the
    RabbitMQ mailing list.

    ๐Ÿ”„ Changes

    Core Server

    ๐Ÿ› Bug Fixes

    โž• Addressed a Windows-specific binary planting security vulnerability CVE-2020-5419 that allowed for arbitrary code execution.
    The vulnerability requires the attacker to have local access and elevated privileges,
    and cannot be executed remotely.

    ๐Ÿ’ป CVSS score: 6.7 (medium severity).

    ๐Ÿ”’ This vulnerability was researched and responsibly disclosed by
    ๐Ÿ”’ Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.

    Source code archives

    โš  Warning : The source code archive provided by GitHub only contains the source of the broker,
    ๐Ÿ”Œ not the plugins or the client libraries. Please download the archive named rabbitmq-server-3.7.28.tar.xz.