RabbitMQ v3.8.7 Release Notes
Release Date: 2020-08-17 // over 3 years ago-
RabbitMQ 3.8.7
๐ RabbitMQ
3.8.7
is a maintenance release that patches
๐ a security vulnerability.๐ RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center
๐ for researching and responsibly disclosing the vulnerability addressed in this release.Erlang/OTP Compatibility Notes
This release requires Erlang/OTP 21.3 or later.
๐22.3
or23.0
releases are recommended.๐ Provisioning Latest Erlang Releases explains
๐ฆ what package repositories and tools can be used to provision latest patch versions of Erlang22.3.x
.โฌ๏ธ Upgrade Doc Guides and Change Log
๐ See 3.8.0 release notes upgrade and
๐ compatibility notes first if upgrading from an earlier release.๐ See the Upgrading guide for general documentation on upgrades and
๐ RabbitMQ change log for release notes of other releases.โฌ๏ธ Upgrading to Erlang 21.x or Later Versions
๐ When upgrading to this release from
3.7.6
or an older version, extra care has to be taken.๐ Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,
โฌ๏ธ RabbitMQ must be upgraded at the same time as Erlang.โฌ๏ธ Alternatively the node can be upgraded to
3.7.18
first, then Erlang 22.x or 23.x, then RabbitMQ to most recent
๐ 3.8.x release.Getting Help
๐ Any questions about this release, upgrades or RabbitMQ in general are welcome on the RabbitMQ mailing list.
๐ Changes Worth Mentioning
Core Server
๐ Bug Fixes
โ Addressed a Windows-specific binary planting security vulnerability CVE-2020-5419 that allowed for arbitrary code execution.
The vulnerability requires the attacker to have local access and elevated privileges,
and cannot be executed remotely.๐ป CVSS score:
6.7
(medium severity).๐ This vulnerability was researched and responsibly disclosed by
๐ Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.โฌ๏ธ In a mixed version cluster, virtual host limits were incorrectly reported for yet-to-be-upgraded nodes.
Contributed by @mnxumalo.
GitHub issue: rabbitmq/rabbitmq-server#2430
CLI Tools
๐ Bug Fixes
Definition export using
rabbitmqctl export_definitions
exported optional queue arguments as blank.
Export performed via the HTTP API was not affected by this problem.GitHub issue: rabbitmq/rabbitmq-server#2427
Invoking
rabbitmqctl
(or other tools) without any arguments produced help output that was inconsistent
fromrabbitmqctl help
in line spacing.๐ Federation Plugin
๐ Bug Fixes
๐ Links in some environments upgraded from earlier
3.8.x
versions could run into a data coercion exception
when connection credentials were unencrypted.GitHub issue: rabbitmq/rabbitmq-federation#112
๐ Shovel Plugin
๐ Bug Fixes
Shovels where the source is AMQP 1.0 endpoint now gracefully handle link detachment
if the remote end set theclosed
attribute tofalse
.Contributed by @tstorck.
GitHub issue: rabbitmq/rabbitmq-amqp1.0-client#56
โ Removed some debug logging that was unintentionally polluting standard output even when
๐ฒ debug logging was not enabled.Contributed by @sircinek.
GitHub issue: rabbitmq/rabbitmq-amqp1.0-client#54
โฌ๏ธ Dependency Upgrades
- โฌ๏ธ
credentials_obfuscation
was upgraded from 2.1.1 to 2.2.0
Source code archives
โ Warning : The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.
Please download the archive namedrabbitmq-server-3.8.7.tar.xz
. - โฌ๏ธ