Your message dated Tue, 5 May 2026 13:36:52 +0200
with message-id <[email protected]>
and subject line mongoose: CVE-2026-2966 CVE-2026-2967 CVE-2026-2968
has caused the Debian Bug report #1135115,
regarding mongoose: CVE-2026-2966 CVE-2026-2967 CVE-2026-2968
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135115
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mongoose
X-Debbugs-CC: [email protected]
Severity: imporartant
Tags: security
Hi,
The following vulnerabilities were published for mongoose. It's
unclear if these were ever properly forwarded upstream:
CVE-2026-2966[0]:
| A weakness has been identified in Cesanta Mongoose up to 7.20. The
| impacted element is the function mg_sendnsreq of the file /src/dns.c
| of the component DNS Transaction ID Handler. Executing a
| manipulation of the argument random can lead to insufficiently
| random values. The attack can be launched remotely. The attack
| requires a high level of complexity. The exploitability is regarded
| as difficult. The exploit has been made available to the public and
| could be used for attacks. The vendor was contacted early about this
| disclosure but did not respond in any way.
CVE-2026-2967[1]:
| A security vulnerability has been detected in Cesanta Mongoose up to
| 7.20. This affects the function getpeer of the file
| /src/net_builtin.c of the component TCP Sequence Number Handler. The
| manipulation leads to improper verification of source of a
| communication channel. The attack may be initiated remotely. The
| attack's complexity is rated as high. The exploitability is reported
| as difficult. The exploit has been disclosed publicly and may be
| used. The vendor was contacted early about this disclosure but did
| not respond in any way.
CVE-2026-2968[2]:
| A vulnerability was detected in Cesanta Mongoose up to 7.20. This
| impacts the function mg_chacha20_poly1305_decrypt of the file
| /src/tls_chacha20.c of the component Poly1305 Authentication Tag
| Handler. The manipulation results in improper verification of
| cryptographic signature. The attack may be launched remotely. This
| attack is characterized by high complexity. The exploitability is
| said to be difficult. The exploit is now public and may be used. The
| vendor was contacted early about this disclosure but did not respond
| in any way.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2966
https://www.cve.org/CVERecord?id=CVE-2026-2966
[1] https://security-tracker.debian.org/tracker/CVE-2026-2967
https://www.cve.org/CVERecord?id=CVE-2026-2967
[2] https://security-tracker.debian.org/tracker/CVE-2026-2968
https://www.cve.org/CVERecord?id=CVE-2026-2968
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: mongoose/7.21+ds-1
I have verified the three CVEs to be absent from v7.21 by using the
available PoC exploits on it.
--- End Message ---
