[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] Antw: mosquitto-dev Digest, Vol 112, Issue 7 (Out-of-office notification)
|
Thank you for your message.
July 31st 2023 is my last day at ivESK / Offenburg University. I cannot access my emails after this date anymore.
Your message will not be forwarded.
You may contact me after July 31st 2023 at andreas.walz.hso@xxxxxxxxx.
Best regards
Andreas Walz
>>> <mosquitto-dev-request@xxxxxxxxxxx> 13.10.23 18:00 >>>
Send mosquitto-dev mailing list submissions to
mosquitto-dev@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
or, via email, send a message with subject or body 'help' to
mosquitto-dev-request@xxxxxxxxxxx
You can reach the person managing the list at
mosquitto-dev-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of mosquitto-dev digest..."
Today's Topics:
1. Re: How to address CVE-2023-28366 in older versions of
mosquitto (Roger Light)
----------------------------------------------------------------------
Message: 1
Date: Fri, 13 Oct 2023 15:46:14 +0100
From: Roger Light <roger@xxxxxxxxxx>
To: General development discussions for the mosquitto project
<mosquitto-dev@xxxxxxxxxxx>
Subject: Re: [mosquitto-dev] How to address CVE-2023-28366 in older
versions of mosquitto
Message-ID:
<CAH7zdyfz5WBypJjbCrHpGG2dLjxeLXLeVTFhPWSpFA9iebnOvQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hi Markus,
Recently the maintainership of Mosquitto is Debian was taken over by the
Debian IoT team: https://packages.qa.debian.org/m/mosquitto.html
I'm not sure about backporting to 1.5.x, as has been mentioned it's a
pretty old release now and there have been lots of changes.
With regards supporting old releases, I've taken the view that I'll make a
best effort to support versions that are in currently supported
distributions, but with no guarantees. I've taken "currently supported" to
mean main lifetime support, not extended type support like Debian LTS or
Ubuntu extended support. Unless it's easy of course.
I can take a look if you think it's particularly important to support this
version.
Regards,
Roger
On Tue, 10 Oct 2023, 13:57 Markus Koschany via mosquitto-dev, <
mosquitto-dev@xxxxxxxxxxx> wrote:
> Hi all,
>
> @Roger
>
> Thanks for your help and for pointing out the fixing commits for the recent
> CVE. I believe I have addressed them in Debian stable and oldstable
> already.
> Now I am looking to fix Debian Buster as well which ships mosquitto 1.5.7.
>
> Apparently 1.5.7 is affected by CVE-2023-28366 but the code base is quite
> different. Is there a less intrusive way to address this problem? Is there
> a
> sensible workaround available or should I just ignore the issue? Another
> possible idea is to backport 2.0.11 from Debian oldstable. What would you
> recommend as the maintainer of mosquitto in Debian?
>
> Regards,
>
> Markus
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/mosquitto-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.eclipse.org/mailman/private/mosquitto-dev/attachments/20231013/a8577a79/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
------------------------------
End of mosquitto-dev Digest, Vol 112, Issue 7
*********************************************
