[Git][security-tracker-team/security-tracker][master] Add some mongoose CVEs affecting swupdate

Bastian Germann (@bage) bage at debian.org
Mon May 11 18:43:14 BST 2026 


Bastian Germann pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ba2a6c06 by Bastian Germann at 2026-05-11T19:43:01+02:00
Add some mongoose CVEs affecting swupdate

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -80116,6 +80116,7 @@ CVE-2025-65503 (Use after free in endpoint destructors in Redboltz async_mqtt 10
 	NOT-FOR-US: Redboltz async_mqtt
 CVE-2025-65502 (Null pointer dereference in add_ca_certs() in Cesanta Mongoose before  ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2025.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/3306
 	NOTE: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2 (7.20)
 CVE-2025-65501 (Null pointer dereference in coap_dtls_info_callback() in OISM libcoap  ...)
@@ -314142,6 +314143,7 @@ CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software Found
 	NOTE: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
 CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_PUBLI ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2024.12+dfsg-1
 CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...)
 	- undertow 2.3.18-1 (bug #1054893)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689
@@ -320281,6 +320283,7 @@ CVE-2023-34203 (In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge
 	NOT-FOR-US: Progress OpenEdge OEM
 CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests containing ne ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2024.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f (7.10)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2023-34021 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moy ...)
@@ -490773,16 +490776,19 @@ CVE-2021-26531
 	RESERVED
 CVE-2021-26530 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compile ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2022.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1204
 	NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2021-26529 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7- ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2022.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1203
 	NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2021-26528 (The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2022.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1203
 	NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
@@ -524165,6 +524171,7 @@ CVE-2020-25888
 	RESERVED
 CVE-2020-25887 (Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when r ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2022.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1140
 CVE-2020-25886
 	RESERVED
@@ -524500,6 +524507,7 @@ CVE-2020-25757 (A lack of input validation and access controls in Lua CGIs on D-
 	NOT-FOR-US: D-Link
 CVE-2020-25756 (A buffer overflow vulnerability exists in the mg_get_http_header funct ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2022.12+dfsg-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1135
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2020-25755 (An issue was discovered on Enphase Envoy R3.x and D4.x (and other curr ...)
@@ -586772,6 +586780,7 @@ CVE-2019-19308 (In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.
 	NOTE: Crash in GUI tool, no security impact
 CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2021.04-1
 	NOTE: https://github.com/cesanta/mongoose/issues/1055
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...)
@@ -608467,6 +608476,7 @@ CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata
 	NOTE: https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff
 CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2021.04-1
 	NOTE: https://github.com/cesanta/mongoose/pull/1035
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2019-13502
@@ -610072,6 +610082,7 @@ CVE-2019-12952
 	RESERVED
 CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
+	- swupdate 2021.04-1
 	NOTE: https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb (6.15)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a6c06737b88b6063da2b52e0eaec93b208869

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a6c06737b88b6063da2b52e0eaec93b208869
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/f6ca4bbd/attachment.htm>

More information about the debian-security-tracker-commits mailing list