[Git][security-tracker-team/security-tracker][master] 3 commits: Remove mosquitto from dla-needed.txt

Markus Koschany (@apo) apo at debian.org
Fri Nov 10 01:18:26 GMT 2023



Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
09a3a1a9 by Markus Koschany at 2023-11-10T02:02:52+01:00
Remove mosquitto from dla-needed.txt

- - - - -
853f87ec by Markus Koschany at 2023-11-10T02:03:45+01:00
CVE-2023-5632,mosquitto: buster is not affected

The vulnerable code was introduced two years later with

https://github.com/eclipse/mosquitto/commit/fabdfcc060432f07595b4a10d4f4fb3d075c64dc#diff-0c14597a927dfee68f01aabb70f76e8d1191380e890978a1cc263855478d6138

- - - - -
673a8bc8 by Markus Koschany at 2023-11-10T02:07:22+01:00
CVE-2023-28366,mosquitto: mark buster as ignored

This potential memory leak requires a rewrite of packet handling core
functions. Upstream was unsure whether the buster version is affected but did not
intend to fix such an old version anyway. It seems mosquitto is ABI
stable between 1.5 to 2.x but that does not imply configuration options behave
identical. The risk of regressions is thus rather high. An upgrade to the
version in Bullseye would be a more sensible approach because this version has
an excellent test coverage though. At the moment I tend to ignore this problem
because of the regression risks involved.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3807,6 +3807,7 @@ CVE-2023-5642 (Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attac
 	NOT-FOR-US: Advantech R-SeeNet
 CVE-2023-5632 (In Eclipse Mosquito before and including 2.0.5, establishing a connect ...)
 	- mosquitto 2.0.7-1
+	[buster] - mosquitto <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/eclipse/mosquitto/pull/2053
 	NOTE: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d (v2.0.6)
 CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...)
@@ -34856,6 +34857,7 @@ CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G
 CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a  ...)
 	{DSA-5511-1}
 	- mosquitto 2.0.17-1
+	[buster] - mosquitto <ignored> (Minor memory leak which requires rewrite of core functions)
 	NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/
 	NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16)
 	NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/bfb373d774d8530e8d6620776304a3e0b0201793


=====================================
data/dla-needed.txt
=====================================
@@ -133,10 +133,6 @@ lwip
 mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
-mosquitto (Markus Koschany)
-  NOTE: 20230924: Added by Front-Desk (apo)
-  NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo)
---
 netty (Markus Koschany)
   NOTE: 20231104: Added by Front-Desk (lamby)
   NOTE: 20231104: For, at least, CVE-2023-44487. (lamby)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231110/694bf4c1/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list