RabbitMQ 3.6.1 is a maintenance release that includes a fix for CVE-2015-8786,
a vulnerability in RabbitMQ management plugin.
-
Purging a lazy queue could result in an exception
GitHub issue: rabbitmq-server#514
-
Ensure
epmdis running before starting RabbitMQ node on WindowsGitHub issue: rabbitmq-server#625
-
Channel error could make broker unreachable
Those errors were misleadingly logged as
channel_termination_timeout, which the issue really was with unhandled messages from concurrently closed TCP socket process.GitHub issue: rabbitmq-server#530
-
(Automatic) deletion of an auto-delete queue could lead to blocked channels
GitHub issue: rabbitmq-server#581
-
During (from scratch) queue sync, queue leader node didn't respect mirror alarm state. With large data sets this could drive mirror node out of memory.
GitHub issue: rabbitmq-server#616
-
Changing password for users with non-standard (think broker configuration) password hashing function, for example, those migrated from
3.5.xreleases, didn't update effective hashing function.GitHub issue: rabbitmq-server#623
-
Heavy and/or prolonged
rabbitmqctluse could exhaust Erlang VM atom tableGitHub issue: rabbitmq-server#549
-
"Min masters" queue leader location strategy could result in an error.
GitHub issue: rabbitmq-server#521
-
Fixed a race condition in
pause_minorityhandling mode.GitHub issue: rabbitmq-server#307
-
Significantly reduce possibility of a race condition when an exchange is deleted and immediately re-declared, e.g. by a federation link.
This could result in a link operation being blocked, preventing nodes from stopping.
GitHub issue: rabbitmq-federation#7
-
amq.rabbitmq.logmessages now have information about originating node in message headersGitHub issue: rabbitmq-server#595
-
scripts/rabbitmq-envnow works with GNU sed 4.2.2GitHub issue: rabbitmq-server#592
-
Exceptions in VM memory use calculator no longer affect broker startup
GitHub issue: rabbitmq-server#328
-
Direct Reply-to capability is now advertised to clients
GitHub issue: rabbitmq-server#520
-
Paths with non-ASCII characters on Windows are now handled
RabbitMQ now can be installed into a location with non-ASCII characters, e.g. when username contains them.
GitHub issues: rabbitmq-server#493
-
Configurable number of TCP connection acceptors
Plus a x10 increase of the default. This helps with workloads where connection churn is very high (e.g. all clients are PHP Web apps that cannot maintain long-lived connections).
GitHub issues: rabbitmq-server#528
-
rabbitmqctl cluster_statusnow includes cluster-wide resource alarm statusGitHub issue: rabbitmq-server#392
-
Windows installer no longer jumps over installation log
GitHub issue: rabbitmq-server#634
-
Improved
rabbitmqctl reseterror messagesGitHub issue: rabbitmq-server#167
-
More unsigned field data types are supported.
GitHub issue: rabbitmq-server#20
-
Endpoints (hostnames) are now also accepted as a
java.util.ListGitHub issue: rabbitmq-java-client#125
-
Autorecovering connections now shuffle hosts in a more reliable way
GitHub issue: rabbitmq-java-client#124
-
Binding recovery could fail
GitHub issue: rabbitmq-java-client#129
-
Channel.queueDeletecould throw aNullPointerExceptionGitHub issue: rabbitmq-java-client#120
-
Autorecovering connections now use full list of provided hostnames during recovery
GitHub issues: rabbitmq-dotnet-client#153
-
Significantly reduce possibility of a race condition when an exchange is deleted and immediately re-declared, e.g. by a federation link
This rendered federation links dysfunctional.
GitHub issue: rabbitmq-federation#7
-
CVE-2015-8786: user-provided query parameters
lengths_ageandlengths_incrhad no validation and could be used to exhaust server resources.The attacker needs to have access to HTTP API (authenticate successfully and have sufficient tags to pass authorisation) in order to carry out the attack.
There is no workaround for earlier releases.
Kudos to Vladimir Ivanov (Positive Technologies) for the responsible disclosure.
GitHub issue: rabbitmq-management#97
-
Password hashing function is now included in exported definitions
Those upgrading from versions earlier than
3.6.0via definitions export won't have to temporarily set hashing function to MD5 to ensure export succeeds.GitHub issue: rabbitmq-management#117
-
Internet Explorer (9+) compatibility restored
GitHub issue: rabbitmq-management#98
-
Internet Explorer 11 compatibility fixes
GitHub issues: rabbitmq-management#112, rabbitmq-management#114
-
When policy fails to be created with invalid paramaters a sensible error message will be displayed.
GitHub issue: rabbitmq-management#110
-
Federation link form now includes more settings (that are exchange- and queue-federation specific)
GitHub issue: rabbitmq-federation-management#5
-
passwordanddepthquery parameters are now propagated to TLS optionsGitHub issue: rabbitmq-erlang-client#36
-
durableandpersistentheaders weren't always used interchangeably, leading to non-durable subscriptionsGitHub issue: rabbitmq-stomp#58
-
Client heartbeat timeouts resulted in confusing error messages in broker log.
GitHub issues: rabbitmq-stomp#63
-
Cowboy options are now supported for TLS listeners.
GitHub issue: rabbitmq-web-stomp#36
-
Multi-byte UTF-8 characters are now handled by the bundled version of stomp.js.
GitHub issue: rabbitmq-web-stomp-examples#2
-
Event timestamps are now in seconds, not milliseconds
Per AMQP 0-9-1 spec. This is not a particularly great choice for events, so we will add an optional header with millisecond precision in a future release.
GitHub issue: rabbitmq-event-exchange#8
Note: this plugin is deprecated and its use is highly discouraged.
-
RabbitmQ
3.6.xsupport.GitHub issue: rabbitmq-jsonrpc#3