ยซ Changelog History


RabbitMQ v3.8.7 Release Notes

Release Date: 2020-08-17 // over 3 years ago

  • RabbitMQ 3.8.7

    ๐Ÿš€ RabbitMQ 3.8.7 is a maintenance release that patches
    ๐Ÿ”’ a security vulnerability.

    ๐Ÿ”’ RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center
    ๐Ÿš€ for researching and responsibly disclosing the vulnerability addressed in this release.

    Erlang/OTP Compatibility Notes

    This release requires Erlang/OTP 21.3 or later.
    ๐Ÿš€ 22.3 or 23.0 releases are recommended.

    ๐Ÿš€ Provisioning Latest Erlang Releases explains
    ๐Ÿ“ฆ what package repositories and tools can be used to provision latest patch versions of Erlang 22.3.x.

    โฌ†๏ธ Upgrade Doc Guides and Change Log

    ๐Ÿš€ See 3.8.0 release notes upgrade and
    ๐Ÿš€ compatibility notes first if upgrading from an earlier release.

    ๐Ÿ“š See the Upgrading guide for general documentation on upgrades and
    ๐Ÿš€ RabbitMQ change log for release notes of other releases.

    โฌ†๏ธ Upgrading to Erlang 21.x or Later Versions

    ๐Ÿš€ When upgrading to this release from 3.7.6 or an older version, extra care has to be taken.

    ๐Ÿš€ Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,
    โฌ†๏ธ RabbitMQ must be upgraded at the same time as Erlang.

    โฌ†๏ธ Alternatively the node can be upgraded to 3.7.18 first, then Erlang 22.x or 23.x, then RabbitMQ to most recent
    ๐Ÿš€ 3.8.x release.

    Getting Help

    ๐Ÿš€ Any questions about this release, upgrades or RabbitMQ in general are welcome on the RabbitMQ mailing list.

    ๐Ÿ”„ Changes Worth Mentioning

    Core Server

    ๐Ÿ› Bug Fixes

    โž• Addressed a Windows-specific binary planting security vulnerability CVE-2020-5419 that allowed for arbitrary code execution.
    The vulnerability requires the attacker to have local access and elevated privileges,
    and cannot be executed remotely.

    ๐Ÿ’ป CVSS score: 6.7 (medium severity).

    ๐Ÿ”’ This vulnerability was researched and responsibly disclosed by
    ๐Ÿ”’ Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.

    โฌ†๏ธ In a mixed version cluster, virtual host limits were incorrectly reported for yet-to-be-upgraded nodes.

    Contributed by @mnxumalo.

    GitHub issue: rabbitmq/rabbitmq-server#2430

    CLI Tools

    ๐Ÿ› Bug Fixes

    Definition export using rabbitmqctl export_definitions exported optional queue arguments as blank.
    Export performed via the HTTP API was not affected by this problem.

    GitHub issue: rabbitmq/rabbitmq-server#2427

    Invoking rabbitmqctl (or other tools) without any arguments produced help output that was inconsistent
    from rabbitmqctl help in line spacing.

    ๐Ÿ”Œ Federation Plugin

    ๐Ÿ› Bug Fixes

    ๐Ÿ”— Links in some environments upgraded from earlier 3.8.x versions could run into a data coercion exception
    when connection credentials were unencrypted.

    GitHub issue: rabbitmq/rabbitmq-federation#112

    ๐Ÿ”Œ Shovel Plugin

    ๐Ÿ› Bug Fixes

    Shovels where the source is AMQP 1.0 endpoint now gracefully handle link detachment
    if the remote end set the closed attribute to false.

    Contributed by @tstorck.

    GitHub issue: rabbitmq/rabbitmq-amqp1.0-client#56

    โœ‚ Removed some debug logging that was unintentionally polluting standard output even when
    ๐ŸŒฒ debug logging was not enabled.

    Contributed by @sircinek.

    GitHub issue: rabbitmq/rabbitmq-amqp1.0-client#54

    โฌ†๏ธ Dependency Upgrades

    Source code archives

    โš  Warning : The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.
    Please download the archive named rabbitmq-server-3.8.7.tar.xz.