Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 09a3a1a9 by Markus Koschany at 2023-11-10T02:02:52+01:00 Remove mosquitto from dla-needed.txt - - - - - 853f87ec by Markus Koschany at 2023-11-10T02:03:45+01:00 CVE-2023-5632,mosquitto: buster is not affected The vulnerable code was introduced two years later with https://github.com/eclipse/mosquitto/commit/fabdfcc060432f07595b4a10d4f4fb3d075c64dc#diff-0c14597a927dfee68f01aabb70f76e8d1191380e890978a1cc263855478d6138 - - - - - 673a8bc8 by Markus Koschany at 2023-11-10T02:07:22+01:00 CVE-2023-28366,mosquitto: mark buster as ignored This potential memory leak requires a rewrite of packet handling core functions. Upstream was unsure whether the buster version is affected but did not intend to fix such an old version anyway. It seems mosquitto is ABI stable between 1.5 to 2.x but that does not imply configuration options behave identical. The risk of regressions is thus rather high. An upgrade to the version in Bullseye would be a more sensible approach because this version has an excellent test coverage though. At the moment I tend to ignore this problem because of the regression risks involved. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -3807,6 +3807,7 @@ CVE-2023-5642 (Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attac NOT-FOR-US: Advantech R-SeeNet CVE-2023-5632 (In Eclipse Mosquito before and including 2.0.5, establishing a connect ...) - mosquitto 2.0.7-1 + [buster] - mosquitto <not-affected> (The vulnerable code was introduced later) NOTE: https://github.com/eclipse/mosquitto/pull/2053 NOTE: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d (v2.0.6) CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...) @@ -34856,6 +34857,7 @@ CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a ...) {DSA-5511-1} - mosquitto 2.0.17-1 + [buster] - mosquitto <ignored> (Minor memory leak which requires rewrite of core functions) NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16) NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/bfb373d774d8530e8d6620776304a3e0b0201793 ===================================== data/dla-needed.txt ===================================== @@ -133,10 +133,6 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -mosquitto (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) - NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) --- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits