Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8c855b86 by Salvatore Bonaccorso at 2021-03-01T06:37:58+01:00 Update information on CVE-2019-0222 and associate mqtt-client activemq upstream included the mqtt-client library in the lib/extra directory but in Debian we use the external src:mqtt-client accordngly. The history is a bit involving at at first activemq disabled MQTT support, later on enabled it and depending on the mqtt-client provided packages. Associate now the CVE with mqtt-client where the issue got fixed. Thanks: Abhijith PA for spotting the issue. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -155264,11 +155264,13 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som NOTE: not present in the jessie version. That part do not seem to be essential for NOTE: the package to be vulnerable. CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...) - - activemq 5.15.9-1 (bug #925964) - [buster] - activemq <no-dsa> (Minor issue) - [stretch] - activemq <no-dsa> (Minor issue) + - activemq 5.15.9-1 (bug #925964; unimportant) [jessie] - activemq <not-affected> (MQTT support not enabled) + - mqtt-client 1.16-1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt + NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff) + NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client. + NOTE: https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15) CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 ...) {DSA-4596-1 DLA-1883-1 DLA-1810-1} - tomcat9 9.0.16-4 (bug #929895) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits