Date: Sat, 24 Jul 2021 17:04:35 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5baee87529e4 - main - security/vuxml: Mark mosquitto >= 2.0.0, < 2.0.10 vulnerable as per: Message-ID: <202107241704.16OH4ZZL025083@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=5baee87529e462e477cd6a1685cf3ad201ce332a commit 5baee87529e462e477cd6a1685cf3ad201ce332a Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2021-07-24 16:59:42 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2021-07-24 16:59:42 +0000 security/vuxml: Mark mosquitto >= 2.0.0, < 2.0.10 vulnerable as per: https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt - If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. PR: 255229 Reported by: Daniel Engberg --- security/vuxml/vuln-2021.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index f8bb8cf5a2b4..b10f789df286 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,34 @@ + <vuln vid="cc553d79-e1f0-4b94-89f2-bacad42ee826"> + <topic>mosquitto -- NULL pointer dereference</topic> + <affects> + <package> + <name>mosquitto</name> + <range><ge>2.0.0</ge><lt>2.0.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Roger Light reports:</p> + <blockquote cite="https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt"> + <p>If an authenticated client connected with MQTT v5 sent + a malformed CONNACK message to the broker a NULL pointer + dereference occurred, most likely resulting in a + segfault.</p> + <p>(Note: a CVE is referenced in the github commit but it + appears to be for a python-bleach vulnerability so it is + not included here.)</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt</url> + </references> + <dates> + <discovery>2021-04-10</discovery> + <entry>2021-07-24</entry> + </dates> + </vuln> + <vuln vid="92ad12b8-ec09-11eb-aef1-0897988a1c07"> <topic>pjsip -- Race condition in SSL socket server</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107241704.16OH4ZZL025083>