This bug was fixed in the package mosquitto - 1.4.10-2ubuntu0.2
---
mosquitto (1.4.10-2ubuntu0.2) zesty-security; urgency=low
* SECURITY UPDATE: Persistence file is world readable, which may expose
sensitive data (LP: #1700490).
-
Ok, thanks for the changes.
I've done build and runtime tests of the patches.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700490
Title:
Persistence file is world readable
To manage
Hi Roger - The debdiffs looked pretty good to me. IIRC, I only had to
make two small changes:
1) The Trusty debdiff's changelog entry didn't reference this bug
2) The Zesty debdiff's version needed to be adjusted from 1.4.10-1ubuntu0.2 to
1.4.10-2ubuntu0.2
I've uploaded the packages to the
A fair point... The only files that mosquitto can create are a pid file
(if created then occurring before this call to umask), the persistence
file and log files. Having the log files readable by all would probably
be a bad thing as well.
--
You received this bug notification because you are a
Hello Roger, does this persistence happen in a process dedicated to
persistence? If not I fear this may introduce a regression by not
putting the umask back afterwards.
(Granted the POSIX interfaces for this are pretty crummy.)
Thanks
--
You received this bug notification because you are a
Artful is also affected, but I'm going to fix that with a new upstream
release.
** Changed in: mosquitto (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700490
** Patch added: "yakkety-cve-2017-9868.debdiff"
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903459/+files/yakkety-cve-2017-9868.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "xenial-cve-2017-9868.debdiff"
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903458/+files/xenial-cve-2017-9868.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "zesty-cve-2017-9868.debdiff"
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903460/+files/zesty-cve-2017-9868.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "trusty-cve-2017-9868.debdiff"
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1700490/+attachment/4903457/+files/trusty-cve-2017-9868.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
10 matches
Mail list logo