Your message dated Sat, 19 Jun 2021 10:56:39 +0100 with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk> and subject line Closing p-u requests for fixes included in 10.10 point release has caused the Debian Bug report #988936, regarding buster-pu: package mqtt-client/1.14-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988936 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: 988109@bugs.debian.org
- Subject: buster-pu: package mqtt-client/1.14-1
- From: Abhijith PA <abhijith@debian.org>
- Date: Sat, 22 May 2021 00:03:36 +0530
- Message-id: <YKf9ACtnFNe4nrLX@disroot.org>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: anbe@debian.org Hello Stable release team, I would like to update mqtt-client in buster for fixing CVE-2019-0222. It is fixed in stretch, bullseye and sid. Right now stretch-security has a newer version(1.14-1+9u1) than buster, breaking clean upgrades to buster. CVE-2019-0222 is no-dsa thus using pu. Vcs field URL also updated. Debdiff is attached. Please allow to upload this fix to Buster. --abhijith -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-4-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enableddiff -Nru mqtt-client-1.14/debian/changelog mqtt-client-1.14/debian/changelog --- mqtt-client-1.14/debian/changelog 2016-07-19 13:30:10.000000000 +0530 +++ mqtt-client-1.14/debian/changelog 2021-05-21 21:59:49.000000000 +0530 @@ -1,3 +1,13 @@ +mqtt-client (1.14-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2019-0222: unmarshalling corrupt MQTT frame can lead to + broker Out of Memory exception making it unresponsive. + (Closes: #988109) + * Update Vcs-* URL in d/control. + + -- Abhijith PA <abhijith@debian.org> Fri, 21 May 2021 21:59:49 +0530 + mqtt-client (1.14-1) unstable; urgency=medium * New upstream release diff -Nru mqtt-client-1.14/debian/control mqtt-client-1.14/debian/control --- mqtt-client-1.14/debian/control 2016-07-19 13:28:53.000000000 +0530 +++ mqtt-client-1.14/debian/control 2021-05-21 21:59:49.000000000 +0530 @@ -10,8 +10,8 @@ libmaven-bundle-plugin-java, maven-debian-helper (>= 1.5) Standards-Version: 3.9.8 -Vcs-Git: https://anonscm.debian.org/git/pkg-java/mqtt-client.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/mqtt-client.git +Vcs-Git: https://salsa.debian.org/java-team/mqtt-client.git +Vcs-Browser: https://salsa.debian.org/java-team/mqtt-client Homepage: http://mqtt-client.fusesource.org Package: libmqtt-client-java diff -Nru mqtt-client-1.14/debian/patches/CVE-2019-0222.patch mqtt-client-1.14/debian/patches/CVE-2019-0222.patch --- mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 1970-01-01 05:30:00.000000000 +0530 +++ mqtt-client-1.14/debian/patches/CVE-2019-0222.patch 2021-05-21 21:59:02.000000000 +0530 @@ -0,0 +1,21 @@ +Description: CVE-2019-0222 + + unmarshalling corrupt MQTT frame can lead + to broker Out of Memory exception making it unresponsive. + +Author: Abhijith PA <abhijith@debian.org> + +diff --git a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java +index 08fb8391abbbdb365310cda08373b3a7e4befc3e..a0a5e8ee4cec70d37b9c451e9f2bd02010107dfa 100644 +--- a/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java ++++ b/mqtt-client/src/main/java/org/fusesource/mqtt/codec/MessageSupport.java +@@ -62,6 +62,9 @@ public final class MessageSupport { + + static protected UTF8Buffer readUTF(DataByteArrayInputStream is) throws ProtocolException { + int size = is.readUnsignedShort(); ++ if (size < 0) { ++ throw new ProtocolException("Invalid message encoding"); ++ } + Buffer buffer = is.readBuffer(size); + if (buffer == null || buffer.length != size) { + throw new ProtocolException("Invalid message encoding"); diff -Nru mqtt-client-1.14/debian/patches/series mqtt-client-1.14/debian/patches/series --- mqtt-client-1.14/debian/patches/series 1970-01-01 05:30:00.000000000 +0530 +++ mqtt-client-1.14/debian/patches/series 2021-05-21 21:59:02.000000000 +0530 @@ -0,0 +1 @@ +CVE-2019-0222.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 934206-done@bugs.debian.org, 982996-done@bugs.debian.org, 983110-done@bugs.debian.org, 984604-done@bugs.debian.org, 985791-done@bugs.debian.org, 985792-done@bugs.debian.org, 985943-done@bugs.debian.org, 986001-done@bugs.debian.org, 986014-done@bugs.debian.org, 986112-done@bugs.debian.org, 986224-done@bugs.debian.org, 986673-done@bugs.debian.org, 987038-done@bugs.debian.org, 987042-done@bugs.debian.org, 987048-done@bugs.debian.org, 987164-done@bugs.debian.org, 987210-done@bugs.debian.org, 987246-done@bugs.debian.org, 987489-done@bugs.debian.org, 987494-done@bugs.debian.org, 987529-done@bugs.debian.org, 987531-done@bugs.debian.org, 987548-done@bugs.debian.org, 987719-done@bugs.debian.org, 987725-done@bugs.debian.org, 987726-done@bugs.debian.org, 987731-done@bugs.debian.org, 987859-done@bugs.debian.org, 987958-done@bugs.debian.org, 988255-done@bugs.debian.org, 988314-done@bugs.debian.org, 988365-done@bugs.debian.org, 988453-done@bugs.debian.org, 988454-done@bugs.debian.org, 988455-done@bugs.debian.org, 988482-done@bugs.debian.org, 988492-done@bugs.debian.org, 988508-done@bugs.debian.org, 988936-done@bugs.debian.org, 988962-done@bugs.debian.org, 988974-done@bugs.debian.org, 988977-done@bugs.debian.org, 989023-done@bugs.debian.org, 989024-done@bugs.debian.org, 989129-done@bugs.debian.org, 989132-done@bugs.debian.org, 989420-done@bugs.debian.org, 989422-done@bugs.debian.org, 989509-done@bugs.debian.org, 989623-done@bugs.debian.org, 989668-done@bugs.debian.org, 989701-done@bugs.debian.org, 989702-done@bugs.debian.org, 989768-done@bugs.debian.org, 989772-done@bugs.debian.org
- Subject: Closing p-u requests for fixes included in 10.10 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 19 Jun 2021 10:56:39 +0100
- Message-id: <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.10 Hi, Each of the updates referenced in these bugs was included in the 10.10 point release today. Regards, Adam
--- End Message ---