[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] Security update: CVE-2021-34432
|
>>>>> "Roger" == Roger Light <roger@xxxxxxxxxx> writes:
> Dear all,
> Mosquitto versions 2.0.0 to 2.0.7 was affected by a bug where the
> broker would cause a segmentation fault if a client sent a topic with
> length zero. A change was included in version 2.0.8 that fixed the
> issue without it being identified.
> This is your reminder to update to the latest 2.0.x release if you
> have not already done so.
> Thanks to Peter Korsgaard for finding and reporting the issue.
Sorry, that is not correct. The issue was reported Bryan Pearson as
mentioned in the bugtracker linked from the CVE:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141
And fixed by Roger.
The only thing I have done is requested an update of the CPE info for
the CVE, which incorrectly stated that all mosquitto versions <= 2.07
were affected (instead of <= 2.0.7).
--
Bye, Peter Korsgaard
