[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] CVE status?

I have started maintaining an entry for mosquitto in pkgsrc, a multi-os
multi-version multi-arch packaging system.  I have updated to 1.5.1
(thanks for integrating the NetBSD patches) and reduced the TODO list
considerably.

It seems there are two CVEs:

 https://nvd.nist.gov/vuln/detail/CVE-2017-7653
 https://nvd.nist.gov/vuln/detail/CVE-2017-7654


and I don't see them referenced in the Changelog.

Is this entry:

  - Fix memory leak that could be caused by a malicious CONNECT packet. This
    does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)

about 2017-7654?

What's the status of 2017-7653?   I see something about a function to
check for valid UTF-8 in the 1.5.0 changelog, but it doesn't address the
CVE entry.

It would be nice to adjust Changelog.txt in git master to address the
question of if the CVEs are fully resolved (even though it that can't
change the release tarballs).

Thanks,
Greg

Attachment: signature.asc
Description: PGP signature