| Re: [mosquitto-dev] How to address CVE-2023-28366 in older versions of mosquitto |
Hi Roger, Am Freitag, dem 13.10.2023 um 15:46 +0100 schrieb Roger Light: > Hi Markus, > > Recently the maintainership of Mosquitto is Debian was taken over by the > Debian IoT team: https://packages.qa.debian.org/m/mosquitto.html thanks for the heads-up. I noticed that you are still listed as one of the Uploaders though. Maybe you should ask one of the IoT team members to remove you, just in case, or someone like me might come along again and ask questions. :) > I'm not sure about backporting to 1.5.x, as has been mentioned it's a pretty > old release now and there have been lots of changes. > > With regards supporting old releases, I've taken the view that I'll make a > best effort to support versions that are in currently supported > distributions, but with no guarantees. I've taken "currently supported" to > mean main lifetime support, not extended type support like Debian LTS or > Ubuntu extended support. Unless it's easy of course. That's very comprehensible. > I can take a look if you think it's particularly important to support this > version. Currently I tend to mark CVE-2023-28366 as ignored but I'll get in contact with you off-list to discuss another proposal. Best, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part