[mosquitto-dev] How to address CVE-2023-28366 in older versions of mosqu

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto

From: Markus Koschany <apo@xxxxxxxxxx>
Date: Tue, 10 Oct 2023 14:56:53 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

@Roger

Thanks for your help and for pointing out the fixing commits for the recent
CVE. I believe I have addressed them in Debian stable and oldstable already.
Now I am looking to fix Debian Buster as well which ships mosquitto 1.5.7.

Apparently 1.5.7 is affected by CVE-2023-28366 but the code base is quite
different. Is there a less intrusive way to address this problem? Is there a
sensible workaround available or should I just ignore the issue? Another
possible idea is to backport 2.0.11 from Debian oldstable. What would you
recommend as the maintainer of mosquitto in Debian?

Regards,

Markus

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto
  - From: Roger Light
- Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto
  - From: Greg Troxel

Prev by Date: Re: [mosquitto-dev] Question on Eclipse Mosquitto
Next by Date: Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto
Previous by thread: [mosquitto-dev] Question on Eclipse Mosquitto
Next by thread: Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto
Index(es):
- Date
- Thread

Breadcrumbs