Re: [SECURITY] [DLA 1334-1] mosquitto security update

[Ola Lundqvist <ola@inguza.com>]

Hi Thorsten

I have not seen an email about that this package has been accepted by the FTP archieve, neither can I find the fixed version in the archives. Can you please check what went wrong?

In addition I think something have went wrong in the security tracker database because the two CVEs are listed as unfixed. Can you check that as well?

ola@tigereye:~/git/security-tracker$ bin/lts-cve-triage.py --skip-dla-needed --exclude undetermined
Updating ~/.cache/debian_security_tracker.json from https://security-tracker.debian.org/tracker/data/json ...
Updating /home/ola/.cache/security-support-ended.deb7 from https://salsa.debian.org/debian/debian-security-support/raw/master/security-support-ended.deb7 ...
Updating /home/ola/.cache/security-support-limited from https://salsa.debian.org/debian/debian-security-support/raw/master/security-support-limited ...
Other issues to triage for wheezy (not yet triaged for jessie):
* mosquitto                            https://security-tracker.debian.org/tracker/source-package/mosquitto
  - CVE-2017-7651     https://security-tracker.debian.org/tracker/CVE-2017-7651
  - CVE-2017-7652     https://security-tracker.debian.org/tracker/CVE-2017-7652

Thanks in advance

// Ola

On 31 March 2018 at 20:24, Thorsten Alteholz <debian@alteholz.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mosquitto
Version        : 0.15-2+deb7u3
CVE ID         : CVE-2017-7651 CVE-2017-7652


CVE-2017-7651
     A crafted CONNECT packet from an unauthenticated client could
     result in extraordinary memory consumption.

CVE-2017-7652
     In case all sockets/file descriptors are exhausted, a SIGHUP
     signal to reload the configuration could result in default
     config values (especially bad security settings)


For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u3.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJav9JTXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHXJIQALUMNe9NaCPBKQaTJE3sKo2v
1CIAzcoTwZJzUr/x8zM8Bnompi7kh5j2V4G4GjJyJ31LZheDxRH/k35t1Ba6PAtl
TkTRgO/PVoJKYHIfyUinNvqzsXFpAzld08w5sVlA7zzxmnm6Ppwwdpk6g2hSIoSG
1Z5STvO6eJLiK8u6hXgkqyaY/4eKlfbTe+Fkd35LzoqJPEHNyLHDBsNQk8/VO1xn
3aNjsU7kc07n/qofFKcWZrlSt6L8Q+ucmHeinwOKT8r/H7/DxXr3yqQqXJ/C+/n+
cwjX5KTng5eEy27WmHv41oamaty4qmlM1uf/yX48th8FQdV6AV7uRK2Y+AKsat04
VaZdTBk4AZKn8u7A9jypqoILhU97SJyVO1jvO5Cqe2lP4OrT9J86MWDs496ZtQEb
4Qi6M76LueYoo7iggv67ATQKwXpARS3J8fMEo+0xBC+Oa76m016eotPkUdRpmmMC
08BSzI2tuQG3i4gbbz96u5bhCyGauFcjnWsTHD97MgCGz9LfBywkrk4eippp/sIF
rJMsYNJMfiJfB2L7f2dZ+heinTjM1x4KfKf+LceZiNcHy6SNycUFD0YLs9ZxvK90
/o5Diq8tjlCl6lxr4A3swvl3xxlpC+M9XuPgfWIsnWxKIQ6J+1Qmv4f6RVfNHAJc
cys3l3XIVUAWhqkkuvaF
=qQYi
-----END PGP SIGNATURE-----

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------