rabbitmq-server/release-notes/3.8.7.md

## RabbitMQ 3.8.7

RabbitMQ `3.8.7` is a maintenance release that patches
a security vulnerability.

RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center
for researching and responsibly disclosing the vulnerability addressed in this release.

### Erlang/OTP Compatibility Notes

This release [**requires Erlang/OTP 21.3**](https://www.rabbitmq.com/which-erlang.html) or later.
`22.3` or `23.0` releases are recommended.

[Provisioning Latest Erlang Releases](https://www.rabbitmq.com/which-erlang.html#erlang-repositories) explains
what package repositories and tools can be used to provision latest patch versions of Erlang `22.3.x`.


### Upgrade Doc Guides and Change Log

See [3.8.0 release notes](https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.0) upgrade and
compatibility notes first if upgrading from an earlier release.

See the [Upgrading guide](https://www.rabbitmq.com/upgrade.html) for general documentation on upgrades and
[RabbitMQ change log](https://www.rabbitmq.com/changelog.html) for release notes of other releases.

### Upgrading to Erlang 21.x or Later Versions

When upgrading to this release from `3.7.6` or an older version, extra care has to be taken.

Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,
RabbitMQ **must be upgraded at the same time as Erlang**.

Alternatively the node can be upgraded to `3.7.18` first, then Erlang 22.x or 23.x, then RabbitMQ to most recent
3.8.x release.

### Getting Help

Any questions about this release, upgrades or RabbitMQ in general are welcome on the [RabbitMQ mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users).


## Changes Worth Mentioning

### Core Server

#### Bug Fixes

 * Addressed a Windows-specific binary planting security vulnerability [CVE-2020-5419](https://tanzu.vmware.com/security/cve-2020-5419) that allowed for arbitrary code execution.
   The vulnerability requires the attacker to have local access and elevated privileges,
   and cannot be executed remotely.

   [CVSS score](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H): `6.7` (medium severity).

   This vulnerability was researched and [responsibly disclosed](https://www.rabbitmq.com/contact.html#security) by
   Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.

 * In a mixed version cluster, virtual host limits were incorrectly reported for yet-to-be-upgraded nodes.

   Contributed by @mnxumalo.

   GitHub issue: [rabbitmq/rabbitmq-server#2430](https://github.com/rabbitmq/rabbitmq-server/pull/2430)


### CLI Tools

#### Bug Fixes

 * Definition export using `rabbitmqctl export_definitions` exported [optional queue arguments](https://www.rabbitmq.com/queues.html#optional-arguments) as blank.
   Export performed via the HTTP API was not affected by this problem.

   GitHub issue: [rabbitmq/rabbitmq-server#2427](https://github.com/rabbitmq/rabbitmq-server/issues/2427)

 * Invoking `rabbitmqctl` (or other tools) without any arguments produced help output that was inconsistent
    from `rabbitmqctl help` in line spacing.


### Federation Plugin

#### Bug Fixes

 * Links in some environments upgraded from earlier `3.8.x` versions could run into a data coercion exception
   when connection credentials were unencrypted.

   GitHub issue: [rabbitmq/rabbitmq-federation#112](https://github.com/rabbitmq/rabbitmq-federation/pull/112)


### Shovel Plugin

#### Bug Fixes

 * Shovels where the source is AMQP 1.0 endpoint now gracefully handle link detachment
   if the remote end set the `closed` attribute to `false`.

   Contributed by @tstorck.

   GitHub issue: [rabbitmq/rabbitmq-amqp1.0-client#56](https://github.com/rabbitmq/rabbitmq-amqp1.0-client/pull/56)

 * Removed some debug logging that was unintentionally polluting standard output even when
   debug logging was not enabled.

   Contributed by @sircinek.

   GitHub issue: [rabbitmq/rabbitmq-amqp1.0-client#54](https://github.com/rabbitmq/rabbitmq-amqp1.0-client/pull/54)


## Dependency Upgrades

 * `credentials_obfuscation` was upgraded [from 2.1.1 to 2.2.0](https://github.com/rabbitmq/credentials-obfuscation/compare/v2.1.1...v2.2.0)


## Source code archives

**Warning**: The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.
Please download the archive named `rabbitmq-server-3.8.7.tar.xz`.
Move release notes from rabbitmq/rabbitmq-website Keeping them in this repo might encourage more people to update them as changes are merged, and simplify release automation a bit. So let's try it. Per suggestion from @gerhard. 2021-07-31 00:23:19 +08:00			`## RabbitMQ 3.8.7`

			RabbitMQ `3.8.7` is a maintenance release that patches
			`a security vulnerability.`

			`RabbitMQ Core team would like to thank Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center`
			`for researching and responsibly disclosing the vulnerability addressed in this release.`

			`### Erlang/OTP Compatibility Notes`

			`This release [requires Erlang/OTP 21.3](https://www.rabbitmq.com/which-erlang.html) or later.`
			`22.3` or `23.0` releases are recommended.

			`[Provisioning Latest Erlang Releases](https://www.rabbitmq.com/which-erlang.html#erlang-repositories) explains`
			what package repositories and tools can be used to provision latest patch versions of Erlang `22.3.x`.


			`### Upgrade Doc Guides and Change Log`

			`See [3.8.0 release notes](https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.0) upgrade and`
			`compatibility notes first if upgrading from an earlier release.`

			`See the [Upgrading guide](https://www.rabbitmq.com/upgrade.html) for general documentation on upgrades and`
			`[RabbitMQ change log](https://www.rabbitmq.com/changelog.html) for release notes of other releases.`

			`### Upgrading to Erlang 21.x or Later Versions`

			When upgrading to this release from `3.7.6` or an older version, extra care has to be taken.

			`Since CLI tools from RabbitMQ releases older than 3.7.7 will fail on Erlang 21 or later,`
			`RabbitMQ must be upgraded at the same time as Erlang.`

			Alternatively the node can be upgraded to `3.7.18` first, then Erlang 22.x or 23.x, then RabbitMQ to most recent
			`3.8.x release.`

			`### Getting Help`

			`Any questions about this release, upgrades or RabbitMQ in general are welcome on the [RabbitMQ mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users).`


			`## Changes Worth Mentioning`

			`### Core Server`

			`#### Bug Fixes`

			`* Addressed a Windows-specific binary planting security vulnerability [CVE-2020-5419](https://tanzu.vmware.com/security/cve-2020-5419) that allowed for arbitrary code execution.`
			`The vulnerability requires the attacker to have local access and elevated privileges,`
			`and cannot be executed remotely.`

			[CVSS score](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H): `6.7` (medium severity).

			`This vulnerability was researched and [responsibly disclosed](https://www.rabbitmq.com/contact.html#security) by`
			`Ofir Hamam and Tomer Hadad at Ernst & Young's Hacktics Advanced Security Center.`

			`* In a mixed version cluster, virtual host limits were incorrectly reported for yet-to-be-upgraded nodes.`

			`Contributed by @mnxumalo.`

			`GitHub issue: [rabbitmq/rabbitmq-server#2430](https://github.com/rabbitmq/rabbitmq-server/pull/2430)`


			`### CLI Tools`

			`#### Bug Fixes`

			* Definition export using `rabbitmqctl export_definitions` exported [optional queue arguments](https://www.rabbitmq.com/queues.html#optional-arguments) as blank.
			`Export performed via the HTTP API was not affected by this problem.`

			`GitHub issue: [rabbitmq/rabbitmq-server#2427](https://github.com/rabbitmq/rabbitmq-server/issues/2427)`

			* Invoking `rabbitmqctl` (or other tools) without any arguments produced help output that was inconsistent
			from `rabbitmqctl help` in line spacing.


			`### Federation Plugin`

			`#### Bug Fixes`

			* Links in some environments upgraded from earlier `3.8.x` versions could run into a data coercion exception
			`when connection credentials were unencrypted.`

			`GitHub issue: [rabbitmq/rabbitmq-federation#112](https://github.com/rabbitmq/rabbitmq-federation/pull/112)`


			`### Shovel Plugin`

			`#### Bug Fixes`

			`* Shovels where the source is AMQP 1.0 endpoint now gracefully handle link detachment`
			if the remote end set the `closed` attribute to `false`.

			`Contributed by @tstorck.`

			`GitHub issue: [rabbitmq/rabbitmq-amqp1.0-client#56](https://github.com/rabbitmq/rabbitmq-amqp1.0-client/pull/56)`

			`* Removed some debug logging that was unintentionally polluting standard output even when`
			`debug logging was not enabled.`

			`Contributed by @sircinek.`

			`GitHub issue: [rabbitmq/rabbitmq-amqp1.0-client#54](https://github.com/rabbitmq/rabbitmq-amqp1.0-client/pull/54)`


			`## Dependency Upgrades`

			* `credentials_obfuscation` was upgraded [from 2.1.1 to 2.2.0](https://github.com/rabbitmq/credentials-obfuscation/compare/v2.1.1...v2.2.0)


			`## Source code archives`

			`Warning: The source code archive provided by GitHub only contains the source of the broker, not the plugins or the client libraries.`
			Please download the archive named `rabbitmq-server-3.8.7.tar.xz`.