Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mosquitto: CVE-2017-7654

Related Vulnerabilities: CVE-2017-7654   CVE-2017-7653  

Source

Debian Bug report logs - #911265
mosquitto: CVE-2017-7654

version graph

Package: src:mosquitto; Maintainer for src:mosquitto is Roger A. Light <roger@atchoo.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 17 Oct 2018 20:09:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version mosquitto/1.4.10-1

Fixed in versions mosquitto/1.4.10-3+deb9u2, mosquitto/1.5.4-1

Done: roger@atchoo.org (Roger A. Light)

Bug is archived. No further changes may be made.

Forwarded to https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Roger A. Light <roger@atchoo.org>:
Bug#911265; Package src:mosquitto. (Wed, 17 Oct 2018 20:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Roger A. Light <roger@atchoo.org>. (Wed, 17 Oct 2018 20:09:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mosquitto: CVE-2017-7654
Date: Wed, 17 Oct 2018 22:05:17 +0200
Source: mosquitto
Version: 1.4.10-1
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493

Hi,

The following vulnerability was published for mosquitto.

Filling with RC severity as it will be fixed in a DSA, and needs to be
fixed before buster release in unstable/testing as well.

CVE-2017-7654[0]:
| In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability
| was found within the Mosquitto Broker. Unauthenticated clients can
| send crafted CONNECT packets which could cause a denial of service in
| the Mosquitto Broker.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7654
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493
[2] https://github.com/eclipse/mosquitto/commit/51ec5601c2ec523bf2973fdc1eca77335eafb8de

Regards,
Salvatore

Marked as fixed in versions mosquitto/1.4.10-3+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 Oct 2018 11:33:07 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 Oct 2018 11:33:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 27 Oct 2018 11:33:08 GMT) (full text, mbox, link).

Reply sent to roger@atchoo.org (Roger A. Light):
You have taken responsibility. (Fri, 23 Nov 2018 21:42:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 23 Nov 2018 21:42:09 GMT) (full text, mbox, link).

Message #16 received at 911265-close@bugs.debian.org (full text, mbox, reply):

From: roger@atchoo.org (Roger A. Light)
To: 911265-close@bugs.debian.org
Subject: Bug#911265: fixed in mosquitto 1.5.4-1
Date: Fri, 23 Nov 2018 21:39:29 +0000
Source: mosquitto
Source-Version: 1.5.4-1

We believe that the bug you reported is fixed in the latest version of
mosquitto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger A. Light <roger@atchoo.org> (supplier of updated mosquitto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Nov 2018 13:34:59 +0000
Source: mosquitto
Binary: mosquitto mosquitto-dev libmosquitto1 libmosquitto-dev libmosquittopp1 libmosquittopp-dev mosquitto-clients
Architecture: source
Version: 1.5.4-1
Distribution: unstable
Urgency: medium
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Roger A. Light <roger@atchoo.org>
Description:
 libmosquitto-dev - MQTT version 3.1/3.1.1 client library, development files
 libmosquitto1 - MQTT version 3.1/3.1.1 client library
 libmosquittopp-dev - MQTT version 3.1 client C++ library, development files
 libmosquittopp1 - MQTT version 3.1/3.1.1 client C++ library
 mosquitto  - MQTT version 3.1/3.1.1 compatible message broker
 mosquitto-clients - Mosquitto command line MQTT clients
 mosquitto-dev - Development files for Mosquitto
Closes: 901424 911104 911265 911266
Changes:
 mosquitto (1.5.4-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #911104).
     - Fixes CVE-2017-7654 (Closes: #911265)
     - Fixes CVE-2017-7653 (Closes: #911266)
   * Remove no longer needed patches. Some are integrated into upstream, others
     have been replaced with changes in rules.
     - async_dns.patch
     - build-timestamp.patch
     - disable-in-tree-uthash.patch
     - enable-libwrap.patch
     - enable-websockets.patch
     - fix-prefix.patch
     - hurd-errno.patch
     - libdir.patch
     - nostrip.patch
   * Copyright fix - src/uthash.h -> src/deps/uthash.h
   * Update symbols files with new additions.
   * Remove debian/mosquitto.prerm
     - Calls to invoke-rc.d to stop mosquitto will be inserted automagically by
       debhelper.
   * Stop removing the mosquitto user in postrm.
     - This is not safe since there might still be logs (and other files?)
       around owned by the uid, so we don't want it reused for a new user.
   * Add build dependency on libsystemd-dev.
   * Enable systemd build support.
   * Ship the mosquitto.service file (with sd-notify support)
   * Drop -dbg packages and do -dbgsym migration.
   * libmosquito{,pp}-dev: ship libmosquitto{,pp}.pc respectively.
   * Remove unused build dependency on python-all. (Closes: #901424).
   * Bump standards version to 4.2.1, no changes needed.
   * Bumped dh compat level to 11.
   * Add upstream/metadata.
Checksums-Sha1:
 828c141c592f5b79fce2a22b2c01b75185719471 2540 mosquitto_1.5.4-1.dsc
 52d9624afc4fca6c502327c6c64ea9ddedb5ea2f 430602 mosquitto_1.5.4.orig.tar.gz
 88705e5a7daeef1c8e48b61565048ff2e41540e6 833 mosquitto_1.5.4.orig.tar.gz.asc
 4a4e2b9ba65bb6c48c62312e6f16b5d45749b6d3 15788 mosquitto_1.5.4-1.debian.tar.xz
 e2f96c2d4f290ec6f0551fd7cd7a0036fe78d064 8539 mosquitto_1.5.4-1_amd64.buildinfo
Checksums-Sha256:
 68ea1e310ac8483c9c77fb32dfe5f70ee7787584e8e8970a865a2c720e089531 2540 mosquitto_1.5.4-1.dsc
 5fd7f3454fd6d286645d032bc07f44a1c8583cec02ef2422c9eb32e0a89a9b2f 430602 mosquitto_1.5.4.orig.tar.gz
 f89e6035289b0153981d567148e4fd45787456ee2c911a37e416699fc8d48f39 833 mosquitto_1.5.4.orig.tar.gz.asc
 fa854aec8b117919b613646f27aa1da8ea1ea188f197dc4ed036defcf21bd7ce 15788 mosquitto_1.5.4-1.debian.tar.xz
 7c4186656040a9786cec628b4a86328fabfd257ebfc8bce524e67bebe26d226b 8539 mosquitto_1.5.4-1_amd64.buildinfo
Files:
 e7a847edf0b1f36c4f9114d9c8308005 2540 net optional mosquitto_1.5.4-1.dsc
 4fe8eb707777eb4bfcb5cd432c30a467 430602 net optional mosquitto_1.5.4.orig.tar.gz
 be9cd853ea938d88013b17129f1bed4f 833 net optional mosquitto_1.5.4.orig.tar.gz.asc
 75be8fa6a7cc9ea8d88fbedb46fc319d 15788 net optional mosquitto_1.5.4-1.debian.tar.xz
 94c0e2e5e02d33b50b3560a989cae5a9 8539 net optional mosquitto_1.5.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAlv4brkACgkQC8R9xk0T
UwYOJRAAqFLyWsbH+UDHQvrVW4ZntZQ0rLDFAvQSXarCQhtvxj6aw3th45spCM6m
j3s70Ndt+qyZKLTJ6xmvcwz798LEVpFlXW+/oYmG71X8ciYKFGD40pi+B4XyJ/4k
Cegb7s/WYAxny7/4kHHjGGV21SD+owRVoxnBdFD1ukw1/L/7MTxqpsWPpUeeoBpP
7Eg8QK/VVT1Z3ayZv7BrAaIJHQGd1Lu/XdzagYh8KncBOhUoBvLFYxuzeP8UGZ7/
ebC08/WYYcfUHZAGDA4RrSRUJ9I7ECZFvaoVlrBCRfjpPKj2z3B8ySK8cYXCY4WS
lndg0mfXbLOjJuhFAQcswSLRDHtdK7GSgFFf1HxgoYtlivVUbgbwa9YnAd52+xO3
DmEppNGGtLqju2TLJame1U185eb1DaLmxNCTV5ntfNtFEIAAoDmwfIiec7ZpZtGA
JfyKy5AP2mrDUayci8QonR77dQCaR+UZ4fPVBGCn1K6sY0FVpnW/f4OAhokibOAP
UIUk55BEVyPkvFUtaKn9/dMzFcz6TvVo8JoKA++evDtlgCt4VumNtapkgBdOjL9e
xTmkAALKE8Jzq2H6mRUPBjEa73rY9qNiUsbSZdIfcBBXQ2WG8JgY3dUFPptApmSh
FF/kY/3lBAWltS/KngWBKr/d5unuUoN8R1CWbEgGY5RtHOx/gTE=
=MkLN
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 22 Dec 2018 07:31:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:07:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started