Ubuntu CVE Tracker

Merge ~gianz/ubuntu-cve-tracker:mosquitto_cves into ubuntu-cve-tracker:master

Proposed by Giampaolo Fresi Roglia on 2023-11-21

Status:	Merged
Merged at revision:	b0bf512858af8a807b922df7edf6e1935877999a
Proposed branch:	~gianz/ubuntu-cve-tracker:mosquitto_cves
Merge into:	ubuntu-cve-tracker:master
Diff against target:	384 lines (+114/-105) 9 files modified active/CVE-2021-28166 (+12/-11) active/CVE-2021-34431 (+14/-13) active/CVE-2021-34432 (+15/-11) active/CVE-2021-34434 (+12/-12) active/CVE-2021-41039 (+12/-12) active/CVE-2023-0809 (+12/-12) active/CVE-2023-28366 (+14/-12) active/CVE-2023-3592 (+11/-11) active/CVE-2023-5632 (+12/-11)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Eduardo Barretto		2023-11-21	Approve on 2023-11-21
Review via email: mp+455959@code.launchpad.net

Commit message

Push triage results for mosquitto

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2023-11-21:

lgtm, thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Giampaolo Fresi Roglia

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/active/CVE-2021-28166 b/active/CVE-2021-28166
 index a9b185d..2636d4d 100644
 --- a/active/CVE-2021-28166
 +++ b/active/CVE-2021-28166
@@ -20,22 +20,23 @@ CVSS:
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
++ upstream: https://bugs.eclipse.org/bugs/attachment.cgi?id=286040&action=diff
++upstream_mosquitto: released (2.0.10)
  precise/esm_mosquitto: DNE
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code not present)
  xenial_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code not present)
  bionic_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code not present)
++focal_mosquitto: not-affected (code not present)
++esm-apps/focal_mosquitto: not-affected (code not present)
  groovy_mosquitto: ignored (end of life)
  hirsute_mosquitto: ignored (end of life)
  impish_mosquitto: ignored (end of life)
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
++jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
++esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
  kinetic_mosquitto: ignored (end of life, was needs-triage)
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++lunar_mosquitto: not-affected (2.0.11-1.2)
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2021-34431 b/active/CVE-2021-34431
 index 16d3408..45c5cd9 100644
 --- a/active/CVE-2021-34431
 +++ b/active/CVE-2021-34431
@@ -13,28 +13,29 @@ Notes:
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Kathrin Kleinhammer
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
--trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++  upstream: https://github.com/eclipse/mosquitto/commit/42163634c72d41a1f12d299f54e00adf14520eb2
++upstream_mosquitto: released (2.0.11)
++trusty_mosquitto: ignored
++trusty/esm_mosquitto: not-affected (code not present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code not present)
  bionic_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code not present)
++focal_mosquitto: needed
++esm-apps/focal_mosquitto: needed
  groovy_mosquitto: ignored (end of life)
  hirsute_mosquitto: ignored (end of life)
  impish_mosquitto: ignored (end of life)
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
++jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
++esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
  kinetic_mosquitto: ignored (end of life, was needs-triage)
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++lunar_mosquitto: not-affected (2.0.11-1.2)
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2021-34432 b/active/CVE-2021-34432
 index 044b53e..74c015e 100644
 --- a/active/CVE-2021-34432
 +++ b/active/CVE-2021-34432
@@ -9,10 +9,14 @@ Description:
   the client tries to send a PUBLISH packet with topic length = 0.
  Ubuntu-Description:
  Notes:
++ gianz> PoC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141 (first message)
++ gianz> The CVE indicates versions <= 2.0.7 as affected.
++ gianz> However only versions >= 2.0.0 and <= 2.0.7 are vulnerable.
++ gianz> No crash detected running the PoC against any previous version we support.
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Bryan Pearson
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
@@ -21,18 +25,18 @@ CVSS:
  Patches_mosquitto:
  upstream_mosquitto: released (2.0.8-1)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code not present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code not present)
  bionic_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code not present)
++focal_mosquitto: not-affected (code not present)
++esm-apps/focal_mosquitto: not-affected (code not present)
  hirsute_mosquitto: not-affected (2.0.10-3)
  impish_mosquitto: not-affected
--jammy_mosquitto: not-affected
--esm-apps/jammy_mosquitto: not-affected
++jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
++esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
  kinetic_mosquitto: not-affected
--lunar_mosquitto: not-affected
--mantic_mosquitto: not-affected
--devel_mosquitto: not-affected
++lunar_mosquitto: not-affected (2.0.11-1.2)
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2021-34434 b/active/CVE-2021-34434
 index 318e38e..2b99f90 100644
 --- a/active/CVE-2021-34434
 +++ b/active/CVE-2021-34434
@@ -13,27 +13,27 @@ Notes:
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Zhanxiang Song
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
++upstream_mosquitto: released (2.0.12)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code not present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code not present)
  bionic_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code not present)
++focal_mosquitto: not-affected (code not present)
++esm-apps/focal_mosquitto: not-affected (code not present)
  hirsute_mosquitto: ignored (end of life)
  impish_mosquitto: ignored (end of life)
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
++jammy_mosquitto: needed
++esm-apps/jammy_mosquitto: needed
  kinetic_mosquitto: ignored (end of life, was needs-triage)
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++lunar_mosquitto: needed
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2021-41039 b/active/CVE-2021-41039
 index 4d62d6e..94d63fb 100644
 --- a/active/CVE-2021-41039
 +++ b/active/CVE-2021-41039
@@ -13,27 +13,27 @@ Notes:
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
--trusty/esm_mosquitto: needs-triage
++upstream_mosquitto: released (2.0.12)
++trusty/esm_mosquitto: not-affected (code not present)
  trusty_mosquitto: ignored (end of standard support)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code-not-present)
  bionic_mosquitto: ignored (end of standard support, was needs-triage)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code-not-present)
++focal_mosquitto: needed
++esm-apps/focal_mosquitto: needed
  hirsute_mosquitto: ignored (end of life)
  impish_mosquitto: ignored (end of life)
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
++jammy_mosquitto: needed
++esm-apps/jammy_mosquitto: needed
  kinetic_mosquitto: ignored (end of life, was needs-triage)
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++lunar_mosquitto: not-affected (2.0.11-1.2)
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2023-0809 b/active/CVE-2023-0809
 index f901e17..854eccf 100644
 --- a/active/CVE-2023-0809
 +++ b/active/CVE-2023-0809
@@ -11,23 +11,23 @@ Notes:
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Zhengjie Du
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
++upstream_mosquitto: released (2.0.16)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code-not-present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code-not-present)
  bionic_mosquitto: ignored (end of standard support)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code-not-present)
++focal_mosquitto: needed
++esm-apps/focal_mosquitto: needed
++jammy_mosquitto: needed
++esm-apps/jammy_mosquitto: needed
++lunar_mosquitto: needed
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2023-28366 b/active/CVE-2023-28366
 index 1779dc6..31d6115 100644
 --- a/active/CVE-2023-28366
 +++ b/active/CVE-2023-28366
@@ -15,26 +15,28 @@ Description:
   function.
  Ubuntu-Description:
  Notes:
++ gianz> Memory leak requiring refactoring of core functions to be fixed.
++ gianz> Applying the patches to versions < 2.0.0 is likely to cause regressions.
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Mischa Bachmann
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
++upstream_mosquitto: released (2.0.16)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code-not-present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: ignored (backporting risks regressions)
  bionic_mosquitto: ignored (end of standard support)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: ignored (backporting risks regressions)
++focal_mosquitto: ignored (backporting risks regressions)
++esm-apps/focal_mosquitto: ignored (backporting risks regressions)
++jammy_mosquitto: needed
++esm-apps/jammy_mosquitto: needed
++lunar_mosquitto: needed
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2023-3592 b/active/CVE-2023-3592
 index f91290d..345f181 100644
 --- a/active/CVE-2023-3592
 +++ b/active/CVE-2023-3592
@@ -18,17 +18,17 @@ CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
  Patches_mosquitto:
--upstream_mosquitto: needs-triage
++upstream_mosquitto: released (2.0.16)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code-not-present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code-not-present)
  bionic_mosquitto: ignored (end of standard support)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
--jammy_mosquitto: needs-triage
--esm-apps/jammy_mosquitto: needs-triage
--lunar_mosquitto: needs-triage
--mantic_mosquitto: needs-triage
--devel_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code-not-present)
++focal_mosquitto: needed
++esm-apps/focal_mosquitto: needed
++jammy_mosquitto: needed
++esm-apps/jammy_mosquitto: needed
++lunar_mosquitto: needed
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)
 diff --git a/active/CVE-2023-5632 b/active/CVE-2023-5632
 index d009dbb..1d372d3 100644
 --- a/active/CVE-2023-5632
 +++ b/active/CVE-2023-5632
@@ -13,26 +13,27 @@ Description:
   fixed in 2.0.6
  Ubuntu-Description:
  Notes:
++ gianz> Tested in Focal and below. Unable to reproduce the bug.
  Mitigation:
  Bugs:
  Priority: medium
--Discovered-by:
++Discovered-by: Przemybsław Zygmunt
  Assigned-to: gianz
  CVSS:
   nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
  Patches_mosquitto:
--upstream_mosquitto: released (2.0.7-1)
++upstream_mosquitto: released (2.0.6)
  trusty_mosquitto: ignored (end of standard support)
--trusty/esm_mosquitto: needs-triage
++trusty/esm_mosquitto: not-affected (code-not-present)
  xenial_mosquitto: ignored (end of standard support)
--esm-apps/xenial_mosquitto: needs-triage
++esm-apps/xenial_mosquitto: not-affected (code-not-present)
  bionic_mosquitto: ignored (end of standard support)
--esm-apps/bionic_mosquitto: needs-triage
--focal_mosquitto: needs-triage
--esm-apps/focal_mosquitto: needs-triage
++esm-apps/bionic_mosquitto: not-affected (code-not-present)
++focal_mosquitto: not-affected (code-not-present)
++esm-apps/focal_mosquitto: not-affected (code-not-present)
  jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
--esm-apps/jammy_mosquitto: not-affected
--lunar_mosquitto: not-affected
--mantic_mosquitto: not-affected
--devel_mosquitto: not-affected
++esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1)
++lunar_mosquitto: not-affected (2.0.11-1.2)
++mantic_mosquitto: not-affected (2.0.18-1)
++devel_mosquitto: not-affected (2.0.18-1)

Ubuntu CVE Tracker

Merge ~gianz/ubuntu-cve-tracker:mosquitto_cves into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers