diff -Nru rabbitmq-server-3.6.6/debian/changelog rabbitmq-server-3.6.6/debian/changelog
--- rabbitmq-server-3.6.6/debian/changelog	2017-01-02 20:19:03.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/changelog	2021-07-10 13:34:54.000000000 +0530
@@ -1,3 +1,11 @@
+rabbitmq-server (3.6.6-1+deb9u1) stretch-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 
+    CVE-2019-11287 CVE-2021-22116
+
+ -- Abhijith PA <abhijith@debian.org>  Sat, 10 Jul 2021 13:34:54 +0530
+
 rabbitmq-server (3.6.6-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru rabbitmq-server-3.6.6/debian/patches/CVE-2017-4965_67.patch rabbitmq-server-3.6.6/debian/patches/CVE-2017-4965_67.patch
--- rabbitmq-server-3.6.6/debian/patches/CVE-2017-4965_67.patch	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/CVE-2017-4965_67.patch	2021-07-10 13:33:30.000000000 +0530
@@ -0,0 +1,131 @@
+Backport of:
+
+https://github.com/rabbitmq/
+7d44a57f7ba5d26b14831b1278f6892314919f6e
+b2509a444b7b3b6a672751d7ac0af1972db1de3b
+1a29bfcc4b501971a04d174ef5544039fe1549eb
+35366827e439cbb625f56dcc256189b4b9f1b674
+
+
+Reviewed-By: Abhijith PA <abhijith@debian.org>
+Last-Update: 2021-07-09
+
+--- a/deps/rabbitmq_management/priv/www/js/formatters.js
++++ b/deps/rabbitmq_management/priv/www/js/formatters.js
+@@ -126,11 +126,11 @@ function args_to_features(obj) {
+     var res = {};
+     for (var k in obj.arguments) {
+         if (k in KNOWN_ARGS) {
+-            res[k] = obj.arguments[k];
++        res[k] = fmt_escape_html(obj.arguments[k]);
+         }
+         else {
+             if (res.arguments == undefined) res.arguments = {};
+-            res.arguments[k] = obj.arguments[k];
++            res.arguments[fmt_escape_html(k)] = fmt_escape_html(obj.arguments[k]);
+         }
+     }
+     if (obj.durable) {
+@@ -150,7 +150,7 @@ function fmt_mirrors(queue) {
+     var unsynced = queue.slave_nodes || [];
+     unsynced = jQuery.grep(unsynced,
+                            function (node, i) {
+-                               return jQuery.inArray(node, synced) == -1
++                               return jQuery.inArray(node, synced) == -1;
+                            });
+     var res = '';
+     if (synced.length > 0) {
+@@ -440,6 +440,10 @@ function fmt_rabbit_version(applications
+     return 'unknown';
+ }
+ 
++function fmt_strip_tags(txt) {
++    return txt.replace(/<(?:.|\n)*?>/gm, '');
++}
++
+ function fmt_escape_html(txt) {
+     return fmt_escape_html0(txt).replace(/\n/g, '<br/>');
+ }
+--- a/deps/rabbitmq_management/priv/www/js/main.js
++++ b/deps/rabbitmq_management/priv/www/js/main.js
+@@ -1,4 +1,4 @@
+-$(document).ready(function() {
++f$(document).ready(function() {
+     replace_content('outer', format('login', {}));
+     start_app_login();
+ });
+@@ -640,8 +640,8 @@ function url_pagination_template(templat
+ 
+ 
+ function stored_page_info(template, page_start){
+-    var pageSize = $('#' + template+'-pagesize').val();
+-    var filterName = $('#' + template+'-name').val();
++    var pageSize = fmt_strip_tags($('#' + template+'-pagesize').val());
++    var filterName = fmt_strip_tags($('#' + template+'-name').val());
+ 
+     store_pref(template + '_current_page_number', page_start);
+     if (filterName != null && filterName != undefined) {
+@@ -697,7 +697,11 @@ function renderChannels() {
+ 
+ 
+ function update_pages_from_ui(sender) {
+-    update_pages(current_template, !!$(sender).attr('data-page-start') ? $(sender).attr('data-page-start') : $(sender).val());
++    var val = $(sender).val();
++    var raw = !!$(sender).attr('data-page-start') ? $(sender).attr('data-page-start') : val;
++    var s   = fmt_strip_tags(raw);
++    update_pages(current_template, s);
++}
+ }
+ 
+ function postprocess_partial() {
+@@ -828,7 +832,7 @@ function update_filter_regex(jElem) {
+             current_filter_regex = new RegExp(current_filter,'i');
+         } catch (e) {
+             jElem.parents('.filter').append('<p class="status-error">' +
+-                                            e.message + '</p>');
++                                            fmt_escape_html(e.message) + '</p>');
+         }
+     }
+ }
+@@ -1082,7 +1086,7 @@ function sync_req(type, params0, path_te
+         params = params_magic(params0);
+         path = fill_path_template(path_template, params);
+     } catch (e) {
+-        show_popup('warn', e);
++        show_popup('warn', fmt_escape_html(e));
+         return false;
+     }
+     var req = xmlHttpRequest();
+@@ -1141,7 +1145,7 @@ function check_bad_response(req, full_pa
+         if (typeof(error) != 'string') error = JSON.stringify(error);
+ 
+         if (error == 'bad_request' || error == 'not_found') {
+-            show_popup('warn', reason);
++            show_popup('warn', fmt_escape_html(reason));
+         } else if (error == 'page_out_of_range') {
+             var seconds = 60;
+             if (last_page_out_of_range_error > 0)
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_policy.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_policy.erl
+@@ -75,7 +75,7 @@ accept_content(ReqData, Context) ->
+                               {true, ReqData, Context};
+                           {error_string, Reason} ->
+                               rabbit_mgmt_util:bad_request(
+-                                list_to_binary(Reason), ReqData, Context)
++                                rabbit_mgmt_format:escape_html_tags(Reason), ReqData, Context)
+                       end
+               end)
+     end.
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+@@ -68,9 +68,7 @@ do_it(ReqData, Context) ->
+                         Enc = case EncBin of
+                                   <<"auto">>   -> auto;
+                                   <<"base64">> -> base64;
+-                                  _            -> throw({error,
+-                                                         {bad_encoding,
+-                                                          EncBin}})
++                                  _            -> throw({error, <<"Unsupported encoding. Please use auto or base64.">>})
+                               end,
+                         Trunc = case proplists:get_value(truncate, Body) of
+                                     undefined -> none;
diff -Nru rabbitmq-server-3.6.6/debian/patches/CVE-2017-4966.patch rabbitmq-server-3.6.6/debian/patches/CVE-2017-4966.patch
--- rabbitmq-server-3.6.6/debian/patches/CVE-2017-4966.patch	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/CVE-2017-4966.patch	2021-07-09 17:05:41.000000000 +0530
@@ -0,0 +1,184 @@
+Backpor of:
+
+ From 2371633f99ad0d293899384f078872ff9e9f3e10 Mon Sep 17 00:00:00 2001
+From: Michael Klishin <michael@clojurewerkz.org>
+Date: Wed, 22 Mar 2017 15:44:21 +0300
+Subject: [PATCH] Store authentication details in the cookie again
+
+It was moved to local storage together with personal
+preferences (e.g. what columns should be displayed in various
+tables) in ced47b0bdca862a58e8f31833643e948655f8368 (3.4.0), very unlikely
+by design.
+
+This is a short term solution for session expiration. A proper
+one would be moving to a token-based system such as OAuth 2.0.
+
+Reviewed-By: Abhijith PA <abhijith@debian.org>
+Last-Update: 2021-07-09
+
+--- rabbitmq-server-3.6.6.orig/deps/rabbitmq_management/priv/www/js/dispatcher.js
++++ rabbitmq-server-3.6.6/deps/rabbitmq_management/priv/www/js/dispatcher.js
+@@ -67,7 +67,7 @@ dispatcher_add(function(sammy) {
+ 
+     
+     sammy.get('#/exchanges', function() {
+-            renderExchanges()
++            renderExchanges();
+         });
+ 
+ 
+@@ -226,7 +226,9 @@ dispatcher_add(function(sammy) {
+         });
+ 
+     sammy.put('#/logout', function() {
++            // clear a local storage value used by earlier versions
+             clear_pref('auth');
++            clear_cookie_value('auth');
+             location.reload();
+         });
+ 
+--- rabbitmq-server-3.6.6.orig/deps/rabbitmq_management/priv/www/js/main.js
++++ rabbitmq-server-3.6.6/deps/rabbitmq_management/priv/www/js/main.js
+@@ -17,8 +17,14 @@ function dispatcher() {
+ }
+ 
+ function set_auth_pref(userinfo) {
++    // clear a local storage value used by earlier versions
++    clear_local_pref('auth');
++
+     var b64 = b64_encode_utf8(userinfo);
+-    store_pref('auth', encodeURIComponent(b64));
++    var date  = new Date();
++    // 8 hours from now
++    date.setHours(date.getHours() + 8);
++    store_cookie_value_with_expiration('auth', encodeURIComponent(b64), date);
+ }
+ 
+ function login_route () {
+@@ -58,7 +64,7 @@ function start_app_login() {
+         this.get(/\#\/login\/(.*)/, login_route_with_path);
+     });
+     app.run();
+-    if (get_pref('auth') != null) {
++    if (get_cookie_value('auth') != null) {
+         check_login();
+     }
+ }
+@@ -66,7 +72,8 @@ function start_app_login() {
+ function check_login() {
+     user = JSON.parse(sync_get('/whoami'));
+     if (user == false) {
+-        clear_pref('auth');
++        // clear a local storage value used by earlier versions
++        clear_cookie_value('auth');
+         replace_content('login-status', '<p>Login failed</p>');
+     }
+     else {
+@@ -509,9 +516,9 @@ function show_popup(type, text, mode) {
+ 
+ 
+    function submit_import(form) {
+-       var idx = $("select[name='vhost-upload'] option:selected").index()
++       var idx = $("select[name='vhost-upload'] option:selected").index();
+        var vhost = ((idx <=0 ) ? "" : "/" + esc($("select[name='vhost-upload'] option:selected").val()));
+-       form.action ="api/definitions" + vhost + '?auth=' + get_pref('auth');
++       form.action ="api/definitions" + vhost + '?auth=' + get_cookie_value('auth');
+        form.submit();
+      };
+ 
+@@ -535,11 +542,11 @@ function postprocess() {
+             }
+         });
+     $('#download-definitions').click(function() {
+-            var idx = $("select[name='vhost-download'] option:selected").index()
++            var idx = $("select[name='vhost-download'] option:selected").index();
+             var vhost = ((idx <=0 ) ? "" : "/" + esc($("select[name='vhost-download'] option:selected").val()));
+             var path = 'api/definitions' + vhost + '?download=' +
+                 esc($('#download-filename').val()) +
+-                '&auth=' + get_pref('auth');
++                '&auth=' + get_cookie_value('auth');
+             window.location = path;
+             setTimeout('app.run()');
+             return false;
+@@ -1011,11 +1018,26 @@ function update_status(status) {
+     replace_content('status', html);
+ }
+ 
++function has_auth_cookie_value() {
++    return get_cookie_value('auth') != null;
++}
++
++
+ function auth_header() {
+-    return "Basic " + decodeURIComponent(get_pref('auth'));
++    if(has_auth_cookie_value()) {
++        return "Basic " + decodeURIComponent(get_cookie_value('auth'));    
++    } else {
++        return null;
++    }
+ }
+ 
+ function with_req(method, path, body, fun) {
++    if(!has_auth_cookie_value()) {
++        // navigate to the login form
++        location.reload();
++        return;
++    }
++
+     var json;
+     var req = xmlHttpRequest();
+     req.open(method, 'api' + path, true );
+--- rabbitmq-server-3.6.6.orig/deps/rabbitmq_management/priv/www/js/prefs.js
++++ rabbitmq-server-3.6.6/deps/rabbitmq_management/priv/www/js/prefs.js
+@@ -8,6 +8,30 @@ function local_storage_available() {
+     }
+ }
+ 
++function store_cookie_value(k, v) {
++    var d = parse_cookie();
++    d[short_key(k)] = v;
++    store_cookie(d);
++}
++
++function store_cookie_value_with_expiration(k, v, expiration_date) {
++    var d = parse_cookie();
++    d[short_key(k)] = v;
++    store_cookie_with_expiration(d, expiration_date);
++}
++
++function clear_cookie_value(k) {
++    var d = parse_cookie();
++    delete d[short_key(k)];
++    store_cookie(d);
++}
++
++function get_cookie_value(k) {
++    var r;
++    r = parse_cookie()[short_key(k)];
++    return r == undefined ? default_pref(k) : r;
++}
++
+ function store_pref(k, v) {
+     if (local_storage_available()) {
+         window.localStorage['rabbitmq.' + k] = v;
+@@ -95,13 +119,17 @@ function parse_cookie() {
+ }
+ 
+ function store_cookie(dict) {
++     var date = new Date();
++    date.setFullYear(date.getFullYear() + 1);
++    store_cookie_with_expiration(dict, date);
++}
++
++function store_cookie_with_expiration(dict, expiration_date) {
+     var enc = [];
+     for (var k in dict) {
+         enc.push(k + ':' + escape(dict[k]));
+     }
+-    var date = new Date();
+-    date.setFullYear(date.getFullYear() + 1);
+-    document.cookie = 'm=' + enc.join('|') + '; expires=' + date.toUTCString();
++    document.cookie = 'm=' + enc.join('|') + '; expires=' + expiration_date.toUTCString();
+ }
+ 
+ function get_cookie(key) {
diff -Nru rabbitmq-server-3.6.6/debian/patches/CVE-2019-11281.patch rabbitmq-server-3.6.6/debian/patches/CVE-2019-11281.patch
--- rabbitmq-server-3.6.6/debian/patches/CVE-2019-11281.patch	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/CVE-2019-11281.patch	2021-07-10 11:28:35.000000000 +0530
@@ -0,0 +1,25 @@
+Backport of:
+
+From d4d4cb2d3ecd7b6c8a51e50c3565c9a431c086b3 Mon Sep 17 00:00:00 2001
+From: Markus Alvila <markus@84codes.com>
+Date: Thu, 12 Sep 2019 17:45:28 +0200
+Subject: [PATCH] Patch 2x persistent XSS in HA policy and queue parameters
+
+(cherry picked from commit 3fcb423f92630441acf1eeada6ac5c1607f0f3a5)
+
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2021-07-10
+
+--- rabbitmq-server-3.6.6.orig/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
++++ rabbitmq-server-3.6.6/deps/rabbitmq_federation_management/priv/www/js/tmpl/federation-upstreams.ejs
+@@ -44,8 +44,8 @@
+      <td class="r"><%= upstream.value['max-hops'] %></td>
+      <td class="r"><%= fmt_time(upstream.value.expires, 'ms') %></td>
+      <td class="r"><%= fmt_time(upstream.value['message-ttl'], 'ms') %></td>
+-     <td class="r"><%= upstream.value['ha-policy'] %></td>
+-     <td class="r"><%= upstream.value['queue'] %></td>
++     <td class="r"><%= fmt_string(upstream.value['ha-policy']) %></td>
++     <td class="r"><%= fmt_string(upstream.value['queue']) %></td>
+    </tr>
+ <% } %>
+  </tbody>
diff -Nru rabbitmq-server-3.6.6/debian/patches/CVE-2019-11287.patch rabbitmq-server-3.6.6/debian/patches/CVE-2019-11287.patch
--- rabbitmq-server-3.6.6/debian/patches/CVE-2019-11287.patch	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/CVE-2019-11287.patch	2021-07-10 11:36:44.000000000 +0530
@@ -0,0 +1,32 @@
+From 4b644692a41732dff21970ed1cfe640a848e61b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-S=C3=A9bastien=20P=C3=A9dron?=
+ <jean-sebastien@rabbitmq.com>
+Date: Thu, 31 Oct 2019 14:00:18 +0100
+Subject: [PATCH] rabbit_reader: Format `Explanation` before passing it
+
+... to `rabbit_misc:amqp_error()`.
+
+`Explanation` can be a user input. Therefore, we don't want to pass it
+as a format string to `rabbit_misc:amqp_error()`, as we can't trust its
+content.
+
+Now, we pass our own format string ("~s") and `Explanation` becomes
+the argument to that format string. This ensures we don't interpret
+untrusted user input.
+
+Discussed with: @dcorbacho, @essen and @michaelklishin.
+---
+ src/rabbit_reader.erl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/deps/rabbit_common/src/rabbit_reader.erl
++++ b/deps/rabbit_common/src/rabbit_reader.erl
+@@ -615,7 +615,7 @@ switch_callback(State, Callback, Length)
+ terminate(Explanation, State) when ?IS_RUNNING(State) ->
+     {normal, handle_exception(State, 0,
+                               rabbit_misc:amqp_error(
+-                                connection_forced, Explanation, [], none))};
++                                connection_forced, "~s", [Explanation], none))};
+ terminate(_Explanation, State) ->
+     {force, State}.
+ 
diff -Nru rabbitmq-server-3.6.6/debian/patches/CVE-2021-22116.patch rabbitmq-server-3.6.6/debian/patches/CVE-2021-22116.patch
--- rabbitmq-server-3.6.6/debian/patches/CVE-2021-22116.patch	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/CVE-2021-22116.patch	2021-07-10 13:31:50.000000000 +0530
@@ -0,0 +1,62 @@
+From 626d5219115d087a2695c0eb243c7ddb7e154563 Mon Sep 17 00:00:00 2001
+From: Michael Klishin <klishinm@vmware.com>
+Date: Wed, 7 Apr 2021 13:42:20 +0300
+Subject: [PATCH] Merge pull request #2953 from
+ rabbitmq/mk-amqp10-parser-infinite-loop
+
+AMQP 1.0 binary parser: treat arrays with extra or missing input as fatal errors
+
+(cherry picked from commit f37a31de55229e6c763215500e376fa16803390b)
+--- a/deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_binary_parser.erl
++++ b/deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_binary_parser.erl
+@@ -38,15 +38,15 @@ parse_described(Bin) ->
+     {Value, Rest2} = parse(Rest1),
+     {{described, Descriptor, Value}, Rest2}.
+ 
+-parse_primitive0(<<Type,Rest/binary>>) ->
++parse_primitive0(<<Type, Rest/binary>>) ->
+     parse_primitive(Type, Rest).
+ 
+ %% Constants
+-parse_primitive(16#40, Rest) -> {null,       Rest};
+-parse_primitive(16#41, Rest) -> {true,       Rest};
+-parse_primitive(16#42, Rest) -> {false,      Rest};
+-parse_primitive(16#43, Rest) -> {{uint, 0},  Rest};
+-parse_primitive(16#44, Rest) -> {{ulong, 0}, Rest};
++parse_primitive(16#40, R) -> {null, R};
++parse_primitive(16#41, R) -> {true, R};
++parse_primitive(16#42, R) -> {false, R};
++parse_primitive(16#43, R) -> {{uint, 0}, R};
++parse_primitive(16#44, R) -> {{ulong, 0}, R};
+ 
+ %% Fixed-widths. Most integral types have a compact encoding as a byte.
+ parse_primitive(16#50, <<V:8/unsigned,  R/binary>>) -> {{ubyte, V},      R};
+@@ -129,6 +129,14 @@ parse_compound1(Count, Bin, Acc) ->
+     {Value, Rest} = parse(Bin),
+     parse_compound1(Count - 1, Rest, [Value | Acc]).
+ 
++parse_array_primitive(16#40, <<_:8/unsigned, R/binary>>) -> {null, R};
++parse_array_primitive(16#41, <<_:8/unsigned, R/binary>>) -> {true, R};
++parse_array_primitive(16#42, <<_:8/unsigned, R/binary>>) -> {false, R};
++parse_array_primitive(16#43, <<_:8/unsigned, R/binary>>) -> {{uint, 0}, R};
++parse_array_primitive(16#44, <<_:8/unsigned, R/binary>>) -> {{ulong, 0}, R};
++parse_array_primitive(ElementType, Data) ->
++    parse_primitive(ElementType, Data).
++
+ parse_array(UnitSize, Bin) ->
+     <<Count:UnitSize, Bin1/binary>> = Bin,
+     parse_array1(Count, Bin1).
+@@ -144,8 +152,12 @@ parse_array1(Count, <<Type,ArrayBin/bina
+ 
+ parse_array2(0, _Type, <<>>, Acc) ->
+     lists:reverse(Acc);
++parse_array2(0, Type, Bin, Acc) ->
++    exit({failed_to_parse_array_extra_input_remaining, Type, Bin, Acc});
++parse_array2(Count, Type, <<>>, Acc) when Count > 0 ->
++    exit({failed_to_parse_array_insufficient_input, Type, Count, Acc});
+ parse_array2(Count, Type, Bin, Acc) ->
+-    {Value, Rest} = parse_primitive(Type, Bin),
++    {Value, Rest} = parse_array_primitive(Type, Bin),
+     parse_array2(Count - 1, Type, Rest, [Value | Acc]).
+ 
+ mapify([]) ->
diff -Nru rabbitmq-server-3.6.6/debian/patches/series rabbitmq-server-3.6.6/debian/patches/series
--- rabbitmq-server-3.6.6/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ rabbitmq-server-3.6.6/debian/patches/series	2021-07-10 12:18:58.000000000 +0530
@@ -0,0 +1,5 @@
+CVE-2017-4966.patch
+CVE-2017-4965_67.patch
+CVE-2019-11281.patch
+CVE-2019-11287.patch
+CVE-2021-22116.patch