Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to specify maximum message size #1062

Closed
acogoluegnes opened this issue Jun 14, 2023 · 8 comments · Fixed by #1063
Closed

Add ability to specify maximum message size #1062

acogoluegnes opened this issue Jun 14, 2023 · 8 comments · Fixed by #1063

Comments

@acogoluegnes
Copy link
Contributor

No description provided.

@acogoluegnes acogoluegnes added this to the 5.18.0 milestone Jun 14, 2023
@acogoluegnes acogoluegnes self-assigned this Jun 14, 2023
acogoluegnes added a commit that referenced this issue Jun 15, 2023
To avoid OOM with a very large message.
The default value is 64 MiB.

Fixes #1062
acogoluegnes added a commit that referenced this issue Jun 15, 2023
acogoluegnes added a commit that referenced this issue Jun 15, 2023
To avoid OOM with a very large message.
The default value is 64 MiB.

Fixes #1062

(cherry picked from commit 9ed45fd)
acogoluegnes added a commit that referenced this issue Jun 15, 2023
References #1062

(cherry picked from commit 5982cd1)
acogoluegnes added a commit that referenced this issue Jun 29, 2023
To avoid OOM with a very large message.
The default value is 64 MiB.

Fixes #1062

(cherry picked from commit 9ed45fd)

Conflicts:
	src/main/java/com/rabbitmq/client/impl/Frame.java
	src/test/java/com/rabbitmq/client/test/TestUtils.java
acogoluegnes added a commit that referenced this issue Jun 29, 2023
References #1062

(cherry picked from commit 5982cd1)
acogoluegnes added a commit that referenced this issue Jun 29, 2023
To avoid OOM with a very large message.
The default value is 64 MiB.

Fixes #1062

(cherry picked from commit 9ed45fd)

Conflicts:
	src/main/java/com/rabbitmq/client/impl/Frame.java
	src/test/java/com/rabbitmq/client/test/TestUtils.java
acogoluegnes added a commit that referenced this issue Jun 29, 2023
References #1062

(cherry picked from commit 5982cd1)
acogoluegnes added a commit that referenced this issue Jun 29, 2023
To avoid OOM with a very large message.
The default value is 64 MiB.

Fixes #1062

(cherry picked from commit 9ed45fd)
acogoluegnes added a commit that referenced this issue Jun 29, 2023
References #1062

(cherry picked from commit 5982cd1)
@gdimitrov7
Copy link

The releases list and the commit history both show that the fix was backported to:
v5.17.1
v5.16.1
v5.14.3

@acogoluegnes Can you confirm?

I want confirmation because

show that the fix is only available in 5.18.0+ which is only one branch.

@michaelklishin Is it possible to update the security advisories with correct versions?
Thank you.

@michaelklishin
Copy link
Member

michaelklishin commented Nov 10, 2023

@gdimitrov7 you can inspect the branches of those releases just like we can, here is 5.17.x-stable, for instance.

A GitHub security advisory only has one "affected versions" field IIRC. There are no reasons to to prefer 5.17 over the latest 5.x, this client ships minors often and usually without breaking changes of any kind.

@michaelklishin
Copy link
Member

@gdimitrov7 we cannot retroactively update NIST database entries, therefore we won't update the advisory even if there was/is a way to list multiple affected versions.

@acogoluegnes
Copy link
Contributor Author

@gdimitrov7 Yes, it's been backported to those patch releases. You should use 5.20.0 (the latest as of today) though, it's backward compatible.

@peterwvz
Copy link

peterwvz commented Feb 19, 2024

we cannot retroactively update NIST database entries, therefore we won't update the advisory even if there was/is a way to list multiple affected versions.

@michaelklishin You can actually update NVD. Happens all the time. Reanalysis efforts are typically driven by external engagement such as emails to nvd@nist.gov or cpe_dictionary@nist.gov. You'd include the pertinent info (like this thread) showing the backports happened. I think that's the only way to get all the enterprise vulnerability scanners to acknowledge that 5.18.0 is not the only fix for this CVE.

@michaelklishin
Copy link
Member

There are also no reasons for the 5.17 users not to upgrade to 5.18 or 5.20. As stated earlier, this client usually ships minor releases without any breaking changes.

Our small team has more important things to worry about than making sure a three minor behind patch release of this client has a backport accounted for in the NIST database.

We have fixed the issue and released a round of back ports. NIST is notified. If someone has the cycle to update the NIST database, they can do it by providing evidence from this public repository.

@peterwvz
Copy link

peterwvz commented Feb 19, 2024 via email

@michaelklishin
Copy link
Member

michaelklishin commented Feb 20, 2024

@peterwvz we have done our job: we have responded to a responsibly disclosed vulnerability, patched it, backported it N times and produced a round of releases, then disclosed it when we were able to do so according to VMware vulnerability disclosure requirements.

That problem you have with a vendor on 5.14? Sorry, that's not our job. We are not paid by that vendor. In fact, that vendor might as well use open source RabbitMQ without a support contact and thus might get everything, including updates, for free, year after year.

And now we have to worry about their upgrade routine and security vulnerability scanner? Wow, the standards are high for OSS maintainers these days.

@rabbitmq rabbitmq locked as resolved and limited conversation to collaborators Feb 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants