[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-0222 and associate mqtt-client

Salvatore Bonaccorso carnil at debian.org
Mon Mar 1 05:40:18 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8c855b86 by Salvatore Bonaccorso at 2021-03-01T06:37:58+01:00
Update information on CVE-2019-0222 and associate mqtt-client

activemq upstream included the mqtt-client library in the lib/extra
directory but in Debian we use the external src:mqtt-client accordngly.

The history is a bit involving at at first activemq disabled MQTT
support, later on enabled it and depending on the mqtt-client provided
packages.

Associate now the CVE with mqtt-client where the issue got fixed.

Thanks: Abhijith PA for spotting the issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -155264,11 +155264,13 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som
 	NOTE: not present in the jessie version. That part do not seem to be essential for
 	NOTE: the package to be vulnerable.
 CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...)
-	- activemq 5.15.9-1 (bug #925964)
-	[buster] - activemq <no-dsa> (Minor issue)
-	[stretch] - activemq <no-dsa> (Minor issue)
+	- activemq 5.15.9-1 (bug #925964; unimportant)
 	[jessie] - activemq <not-affected> (MQTT support not enabled)
+	- mqtt-client 1.16-1
 	NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
+	NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
+	NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
+	NOTE: https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15)
 CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0  ...)
 	{DSA-4596-1 DLA-1883-1 DLA-1810-1}
 	- tomcat9 9.0.16-4 (bug #929895)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210301/04bcdb59/attachment.htm>

More information about the debian-security-tracker-commits mailing list