Patch rabbitmq-server for CVE-2025-30219 [Medium] (#13200)

jslobodzian · jslobodzian · commit 7ee00c750f49 · 2025-04-09T15:30:02.000-04:00
(cherry picked from commit b7f1d7c)
diff --git a/SPECS/rabbitmq-server/CVE-2025-30219.patch b/SPECS/rabbitmq-server/CVE-2025-30219.patch
@@ -0,0 +1,25 @@
+From 3d88ed83db8f981006559ee805ba7a1ffded60d5 Mon Sep 17 00:00:00 2001
+From: Michael Klishin <michael@clojurewerkz.org>
+Date: Fri, 25 Oct 2024 22:14:41 -0400
+Subject: [PATCH] Use fmt_string in this error message
+
+---
+ deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
+index 769c6d7..8c6f0c3 100644
+--- a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
++++ b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
+@@ -27,7 +27,7 @@
+         if (vhosts[i].cluster_state[vhost_status_node] != 'running') {
+ %>
+ <p class="warning">
+-  Virtual host <b><%= vhosts[i].name %></b> experienced an error on node <b><%= vhost_status_node %></b> and may be inaccessible
++  Virtual host <b><%= fmt_string(vhosts[i].name) %></b> experienced an error on node <b><%= fmt_string(vhost_status_node) %></b> and may be inaccessible
+ </p>
+ <% }}} %>
+ </div>
+-- 
+2.34.1
+
diff --git a/SPECS/rabbitmq-server/rabbitmq-server.spec b/SPECS/rabbitmq-server/rabbitmq-server.spec
@@ -2,7 +2,7 @@
 Summary:        rabbitmq-server
 Name:           rabbitmq-server
 Version:        3.11.24
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0 and MPL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -30,6 +30,7 @@ Source3:        rabbitmq-server-hex-cache-%{version}.tar.gz
 # 8. Run `tar -czf rabbitmq-server-hex-cache-<version>.tar.gz cache.erl`
 # --------
 Patch0:			CVE-2023-50966.patch
+Patch1:			CVE-2025-30219.patch
 BuildRequires:  erlang
 BuildRequires:  elixir
 BuildRequires:  libxslt
@@ -115,6 +116,9 @@ done
 %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/*
 
 %changelog
+* Mon Mar 31 2025 Ankita Pareek <ankitapareek@microsoft.com> - 3.11.24-3
+- Add patch for CVE-2025-30219
+
 * Thu Feb 13 2024 Kanishk Bansal <kanbansal@microsoft.com> - 3.11.24-2
 - Add patch for CVE-2023-50966
 
