Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of m

[Roger Light <roger@xxxxxxxxxx>]

Hi Markus,

Recently the maintainership of Mosquitto is Debian was taken over by the Debian IoT team: https://packages.qa.debian.org/m/mosquitto.html

I'm not sure about backporting to 1.5.x, as has been mentioned it's a pretty old release now and there have been lots of changes.

With regards supporting old releases, I've taken the view that I'll make a best effort to support versions that are in currently supported distributions, but with no guarantees. I've taken "currently supported" to mean main lifetime support, not extended type support like Debian LTS or Ubuntu extended support. Unless it's easy of course.

I can take a look if you think it's particularly important to support this version.

Regards,

Roger

On Tue, 10 Oct 2023, 13:57 Markus Koschany via mosquitto-dev, <mosquitto-dev@xxxxxxxxxxx> wrote:

Hi all,

@Roger

Thanks for your help and for pointing out the fixing commits for the recent
CVE. I believe I have addressed them in Debian stable and oldstable already.
Now I am looking to fix Debian Buster as well which ships mosquitto 1.5.7.

Apparently 1.5.7 is affected by CVE-2023-28366 but the code base is quite
different. Is there a less intrusive way to address this problem? Is there a
sensible workaround available or should I just ignore the issue? Another
possible idea is to backport 2.0.11 from Debian oldstable. What would you
recommend as the maintainer of mosquitto in Debian?

Regards,

Markus
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev