Bug#986701: mosquitto: CVE-2021-28166
This will be fixed soon, I would like to include an autopkgtest in the package, otherwise this would have been updated already. On Fri, 9 Apr 2021 at 20:27, Salvatore Bonaccorso wrote: > > Source: mosquitto > Version: 2.0.9-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for mosquitto. > > CVE-2021-28166[0]: > | In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated > | client that had connected with MQTT v5 sent a crafted CONNACK message > | to the broker, a NULL pointer dereference would occur. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-28166 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166 > [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
Bug#754787: mosquitto: does not handle errors from authentication plugins correctly
Source: mosquitto Version: 1.2.1-1 Severity: grave Tags: security upstream Justification: user security hole If an end user uses mosquitto with an authentication plugin, and the plugin returns an application error when making an authentication check (such as if a database was unavailable), then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which it is not authorised. In general this does not represent a wider security hole. No authentication plugins are provided with mosquitto and there are only a limited number of examples available on the internet, so it is unlikely that this bug will affect many installations. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651688: [pkg-ggz-maintainers] Bug#651688: Bug#651688: Should ggz-server be orphaned or removed from Debian?
It appears that Josef is no longer active He replied to my email fairly promptly so I'm sure he'll do so with this as well. . I was just the sponsor/helper here, so I don't know the status of upstream etc. very well. At one point, these libraries had a reverse dependency into GNOME, but I can't find it right now, so maybe it's gone. Note that ggz-client-libs has a very high popcon usage because of this. The GNOME reverse dependency appears to have been dropped around this commit: http://git.gnome.org/browse/gnome-games/commit/configure.in?id=afd2c399e70fde7d3f5853cefd137299458447d3 which is around 2.29.1 or so. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651688: [pkg-ggz-maintainers] Bug#651688: Should ggz-server be orphaned or removed from Debian?
Hi Ansgar, I've spoken with Josef Spillner, the old GGZ project lead and we both agree that the best course of action is for the GGZ packages to be removed from Debian. It's not fair to leave the maintenance in the hands of the distributors. Cheers, Roger -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
