[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] CVE status?

Hi Greg,

Sorry for the delay replying. The CVE issues are fixed since 1.5, but
the documentation has slipped through the gaps, I'll make sure that is
sorted out soon.

Regards,

Roger
On Tue, 4 Sep 2018 at 11:44, Greg Troxel <gdt@xxxxxxxxxx> wrote:
>
>
> I have started maintaining an entry for mosquitto in pkgsrc, a multi-os
> multi-version multi-arch packaging system.  I have updated to 1.5.1
> (thanks for integrating the NetBSD patches) and reduced the TODO list
> considerably.
>
> It seems there are two CVEs:
>
>  https://nvd.nist.gov/vuln/detail/CVE-2017-7653
>  https://nvd.nist.gov/vuln/detail/CVE-2017-7654
>
>
> and I don't see them referenced in the Changelog.
>
> Is this entry:
>
>   - Fix memory leak that could be caused by a malicious CONNECT packet. This
>     does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)
>
> about 2017-7654?
>
> What's the status of 2017-7653?   I see something about a function to
> check for valid UTF-8 in the 1.5.0 changelog, but it doesn't address the
> CVE entry.
>
> It would be nice to adjust Changelog.txt in git master to address the
> question of if the CVEs are fully resolved (even though it that can't
> change the release tarballs).
>
> Thanks,
> Greg
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev