Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Security update: CVE-2021-34432 
Thanks Peter, you are quite correct.

On Tue, 17 Aug 2021 at 23:12, Peter Korsgaard <peter@xxxxxxxxxxxxx> wrote:
>
> >>>>> "Roger" == Roger Light <roger@xxxxxxxxxx> writes:
>
>  > Dear all,
>  > Mosquitto versions 2.0.0 to 2.0.7 was affected by a bug where the
>  > broker would cause a segmentation fault if a client sent a topic with
>  > length zero. A change was included in version 2.0.8 that fixed the
>  > issue without it being identified.
>
>  > This is your reminder to update to the latest 2.0.x release if you
>  > have not already done so.
>
>  > Thanks to Peter Korsgaard for finding and reporting the issue.
>
> Sorry, that is not correct. The issue was reported Bryan Pearson as
> mentioned in the bugtracker linked from the CVE:
>
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141
>
> And fixed by Roger.
>
> The only thing I have done is requested an update of the CPE info for
> the CVE, which incorrectly stated that all mosquitto versions <= 2.07
> were affected (instead of <= 2.0.7).
>
> --
> Bye, Peter Korsgaard

Back to the top