Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Security update: CVE-2021-34432

>>>>> "Roger" == Roger Light <roger@xxxxxxxxxx> writes:

 > Dear all,
 > Mosquitto versions 2.0.0 to 2.0.7 was affected by a bug where the
 > broker would cause a segmentation fault if a client sent a topic with
 > length zero. A change was included in version 2.0.8 that fixed the
 > issue without it being identified.

 > This is your reminder to update to the latest 2.0.x release if you
 > have not already done so.

 > Thanks to Peter Korsgaard for finding and reporting the issue.

Sorry, that is not correct. The issue was reported Bryan Pearson as
mentioned in the bugtracker linked from the CVE:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141

And fixed by Roger.

The only thing I have done is requested an update of the CPE info for
the CVE, which incorrectly stated that all mosquitto versions <= 2.07
were affected (instead of <= 2.0.7).

-- 
Bye, Peter Korsgaard


Back to the top