Skip to content

[AutoPR- Security] Patch rabbitmq-server for CVE-2026-57221, CVE-2026-57220, CVE-2026-57219, CVE-2026-57218, CVE-2026-57217, CVE-2026-57215, CVE-2026-57214, CVE-2026-57213, CVE-2026-57212, CVE-2026-57211 [HIGH]#18025

Draft
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/rabbitmq-server/3.0/1160673

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 15, 2026

Copy link
Copy Markdown

Auto Patch rabbitmq-server for CVE-2026-57221, CVE-2026-57220, CVE-2026-57219, CVE-2026-57218, CVE-2026-57217, CVE-2026-57215, CVE-2026-57214, CVE-2026-57213, CVE-2026-57212, CVE-2026-57211.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160673&view=results

CVE-2026-57221 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160680&view=results
CVE-2026-57220 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160679&view=results
CVE-2026-57219 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160681&view=results
CVE-2026-57218 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160682&view=results
CVE-2026-57215 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160683&view=results
CVE-2026-57212 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160684&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

  • Auto Patch rabbitmq-server for CVE-2026-57221 (MEDIUM), CVE-2026-57220 (HIGH), CVE-2026-57219 (HIGH), CVE-2026-57218 (MEDIUM), CVE-2026-57217 (HIGH), CVE-2026-57215 (HIGH), CVE-2026-57214 (HIGH), CVE-2026-57213 (MEDIUM), CVE-2026-57212 (HIGH), CVE-2026-57211 (MEDIUM).
Change Log
  • CVE-2026-57221
  • CVE-2026-57220
  • CVE-2026-57219
  • CVE-2026-57218
  • CVE-2026-57217
  • CVE-2026-57215
  • CVE-2026-57214
  • CVE-2026-57213
  • CVE-2026-57212
  • CVE-2026-57211
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

…219, CVE-2026-57218, CVE-2026-57217, CVE-2026-57215, CVE-2026-57214, CVE-2026-57213, CVE-2026-57212, CVE-2026-57211
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@v-sushilsati

Copy link
Copy Markdown
  1. Upstream commit references in all patches are correct.
  2. All patches match their respective upstream implementations. except changes in some source file and test files in respective CVE are not included as these files do not exist.
  3. The three CVEs mentioned above (57211, 57214, and 57218) do not affect version 3.13.7 according to NVD; however, applying them is safe since the affected code is present in this branch.
  4. A build failure occurred because CVE-2026-57212.patch referenced a missing LOG_WARNING module/macro in rabbit_mgmt_util.erl because does not include logging macro headers, This was resolved by using the existing API, rabbit_log:warning(...).
  5. A build failure was also caused by CVE-2026-57218.patch due to undefined functions: recheck_consumers/1 and server_consumer_cancel_supported/1. These were resolved by backporting both functions from upstream.
  6. For CVE-2026-57218, the recheck cancellation path was updated to use the branch-native rabbit_queue_type:cancel(Q, CTag, undefined, Username, QStates0) (cancel/5) instead of the newer cancel/3 function from upstream.
  7. The upstream fix for CVE-2026-57215 relies on the rabbit_volatile_queue:is/1 module, which does not exist in this branch. A safer workaround for 3.13.7 was implemented by avoiding the introduction of that module and instead leveraging the existing direct-reply-to prefix logic already present in rabbit_exchange.erl.
  8. CVE-2026-57216 is also fixed in same PR.
  9. local build is ok.
  10. PR is pending for internal review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants