Merge ~gianz/ubuntu-cve-tracker:mosquitto_cves into ubuntu-cve-tracker:master
- Git
- lp:~gianz/ubuntu-cve-tracker
- mosquitto_cves
- Merge into master
Proposed by
Giampaolo Fresi Roglia
Status: | Merged |
---|---|
Merged at revision: | b0bf512858af8a807b922df7edf6e1935877999a |
Proposed branch: | ~gianz/ubuntu-cve-tracker:mosquitto_cves |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
384 lines (+114/-105) 9 files modified
active/CVE-2021-28166 (+12/-11) active/CVE-2021-34431 (+14/-13) active/CVE-2021-34432 (+15/-11) active/CVE-2021-34434 (+12/-12) active/CVE-2021-41039 (+12/-12) active/CVE-2023-0809 (+12/-12) active/CVE-2023-28366 (+14/-12) active/CVE-2023-3592 (+11/-11) active/CVE-2023-5632 (+12/-11) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eduardo Barretto | Approve | ||
Review via email: mp+455959@code.launchpad.net |
Commit message
Push triage results for mosquitto
Description of the change
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/active/CVE-2021-28166 b/active/CVE-2021-28166 |
2 | index a9b185d..2636d4d 100644 |
3 | --- a/active/CVE-2021-28166 |
4 | +++ b/active/CVE-2021-28166 |
5 | @@ -20,22 +20,23 @@ CVSS: |
6 | |
7 | |
8 | Patches_mosquitto: |
9 | -upstream_mosquitto: needs-triage |
10 | + upstream: https://bugs.eclipse.org/bugs/attachment.cgi?id=286040&action=diff |
11 | +upstream_mosquitto: released (2.0.10) |
12 | precise/esm_mosquitto: DNE |
13 | trusty_mosquitto: ignored (end of standard support) |
14 | -trusty/esm_mosquitto: needs-triage |
15 | +trusty/esm_mosquitto: not-affected (code not present) |
16 | xenial_mosquitto: ignored (end of standard support, was needs-triage) |
17 | -esm-apps/xenial_mosquitto: needs-triage |
18 | +esm-apps/xenial_mosquitto: not-affected (code not present) |
19 | bionic_mosquitto: ignored (end of standard support, was needs-triage) |
20 | -esm-apps/bionic_mosquitto: needs-triage |
21 | -focal_mosquitto: needs-triage |
22 | -esm-apps/focal_mosquitto: needs-triage |
23 | +esm-apps/bionic_mosquitto: not-affected (code not present) |
24 | +focal_mosquitto: not-affected (code not present) |
25 | +esm-apps/focal_mosquitto: not-affected (code not present) |
26 | groovy_mosquitto: ignored (end of life) |
27 | hirsute_mosquitto: ignored (end of life) |
28 | impish_mosquitto: ignored (end of life) |
29 | -jammy_mosquitto: needs-triage |
30 | -esm-apps/jammy_mosquitto: needs-triage |
31 | +jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
32 | +esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
33 | kinetic_mosquitto: ignored (end of life, was needs-triage) |
34 | -lunar_mosquitto: needs-triage |
35 | -mantic_mosquitto: needs-triage |
36 | -devel_mosquitto: needs-triage |
37 | +lunar_mosquitto: not-affected (2.0.11-1.2) |
38 | +mantic_mosquitto: not-affected (2.0.18-1) |
39 | +devel_mosquitto: not-affected (2.0.18-1) |
40 | diff --git a/active/CVE-2021-34431 b/active/CVE-2021-34431 |
41 | index 16d3408..45c5cd9 100644 |
42 | --- a/active/CVE-2021-34431 |
43 | +++ b/active/CVE-2021-34431 |
44 | @@ -13,28 +13,29 @@ Notes: |
45 | Mitigation: |
46 | Bugs: |
47 | Priority: medium |
48 | -Discovered-by: |
49 | +Discovered-by: Kathrin Kleinhammer |
50 | Assigned-to: gianz |
51 | CVSS: |
52 | nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM] |
53 | |
54 | |
55 | Patches_mosquitto: |
56 | -upstream_mosquitto: needs-triage |
57 | -trusty_mosquitto: ignored (end of standard support) |
58 | -trusty/esm_mosquitto: needs-triage |
59 | + upstream: https://github.com/eclipse/mosquitto/commit/42163634c72d41a1f12d299f54e00adf14520eb2 |
60 | +upstream_mosquitto: released (2.0.11) |
61 | +trusty_mosquitto: ignored |
62 | +trusty/esm_mosquitto: not-affected (code not present) |
63 | xenial_mosquitto: ignored (end of standard support) |
64 | -esm-apps/xenial_mosquitto: needs-triage |
65 | +esm-apps/xenial_mosquitto: not-affected (code not present) |
66 | bionic_mosquitto: ignored (end of standard support, was needs-triage) |
67 | -esm-apps/bionic_mosquitto: needs-triage |
68 | -focal_mosquitto: needs-triage |
69 | -esm-apps/focal_mosquitto: needs-triage |
70 | +esm-apps/bionic_mosquitto: not-affected (code not present) |
71 | +focal_mosquitto: needed |
72 | +esm-apps/focal_mosquitto: needed |
73 | groovy_mosquitto: ignored (end of life) |
74 | hirsute_mosquitto: ignored (end of life) |
75 | impish_mosquitto: ignored (end of life) |
76 | -jammy_mosquitto: needs-triage |
77 | -esm-apps/jammy_mosquitto: needs-triage |
78 | +jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
79 | +esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
80 | kinetic_mosquitto: ignored (end of life, was needs-triage) |
81 | -lunar_mosquitto: needs-triage |
82 | -mantic_mosquitto: needs-triage |
83 | -devel_mosquitto: needs-triage |
84 | +lunar_mosquitto: not-affected (2.0.11-1.2) |
85 | +mantic_mosquitto: not-affected (2.0.18-1) |
86 | +devel_mosquitto: not-affected (2.0.18-1) |
87 | diff --git a/active/CVE-2021-34432 b/active/CVE-2021-34432 |
88 | index 044b53e..74c015e 100644 |
89 | --- a/active/CVE-2021-34432 |
90 | +++ b/active/CVE-2021-34432 |
91 | @@ -9,10 +9,14 @@ Description: |
92 | the client tries to send a PUBLISH packet with topic length = 0. |
93 | Ubuntu-Description: |
94 | Notes: |
95 | + gianz> PoC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141 (first message) |
96 | + gianz> The CVE indicates versions <= 2.0.7 as affected. |
97 | + gianz> However only versions >= 2.0.0 and <= 2.0.7 are vulnerable. |
98 | + gianz> No crash detected running the PoC against any previous version we support. |
99 | Mitigation: |
100 | Bugs: |
101 | Priority: medium |
102 | -Discovered-by: |
103 | +Discovered-by: Bryan Pearson |
104 | Assigned-to: gianz |
105 | CVSS: |
106 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] |
107 | @@ -21,18 +25,18 @@ CVSS: |
108 | Patches_mosquitto: |
109 | upstream_mosquitto: released (2.0.8-1) |
110 | trusty_mosquitto: ignored (end of standard support) |
111 | -trusty/esm_mosquitto: needs-triage |
112 | +trusty/esm_mosquitto: not-affected (code not present) |
113 | xenial_mosquitto: ignored (end of standard support) |
114 | -esm-apps/xenial_mosquitto: needs-triage |
115 | +esm-apps/xenial_mosquitto: not-affected (code not present) |
116 | bionic_mosquitto: ignored (end of standard support, was needs-triage) |
117 | -esm-apps/bionic_mosquitto: needs-triage |
118 | -focal_mosquitto: needs-triage |
119 | -esm-apps/focal_mosquitto: needs-triage |
120 | +esm-apps/bionic_mosquitto: not-affected (code not present) |
121 | +focal_mosquitto: not-affected (code not present) |
122 | +esm-apps/focal_mosquitto: not-affected (code not present) |
123 | hirsute_mosquitto: not-affected (2.0.10-3) |
124 | impish_mosquitto: not-affected |
125 | -jammy_mosquitto: not-affected |
126 | -esm-apps/jammy_mosquitto: not-affected |
127 | +jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
128 | +esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
129 | kinetic_mosquitto: not-affected |
130 | -lunar_mosquitto: not-affected |
131 | -mantic_mosquitto: not-affected |
132 | -devel_mosquitto: not-affected |
133 | +lunar_mosquitto: not-affected (2.0.11-1.2) |
134 | +mantic_mosquitto: not-affected (2.0.18-1) |
135 | +devel_mosquitto: not-affected (2.0.18-1) |
136 | diff --git a/active/CVE-2021-34434 b/active/CVE-2021-34434 |
137 | index 318e38e..2b99f90 100644 |
138 | --- a/active/CVE-2021-34434 |
139 | +++ b/active/CVE-2021-34434 |
140 | @@ -13,27 +13,27 @@ Notes: |
141 | Mitigation: |
142 | Bugs: |
143 | Priority: medium |
144 | -Discovered-by: |
145 | +Discovered-by: Zhanxiang Song |
146 | Assigned-to: gianz |
147 | CVSS: |
148 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM] |
149 | |
150 | |
151 | Patches_mosquitto: |
152 | -upstream_mosquitto: needs-triage |
153 | +upstream_mosquitto: released (2.0.12) |
154 | trusty_mosquitto: ignored (end of standard support) |
155 | -trusty/esm_mosquitto: needs-triage |
156 | +trusty/esm_mosquitto: not-affected (code not present) |
157 | xenial_mosquitto: ignored (end of standard support) |
158 | -esm-apps/xenial_mosquitto: needs-triage |
159 | +esm-apps/xenial_mosquitto: not-affected (code not present) |
160 | bionic_mosquitto: ignored (end of standard support, was needs-triage) |
161 | -esm-apps/bionic_mosquitto: needs-triage |
162 | -focal_mosquitto: needs-triage |
163 | -esm-apps/focal_mosquitto: needs-triage |
164 | +esm-apps/bionic_mosquitto: not-affected (code not present) |
165 | +focal_mosquitto: not-affected (code not present) |
166 | +esm-apps/focal_mosquitto: not-affected (code not present) |
167 | hirsute_mosquitto: ignored (end of life) |
168 | impish_mosquitto: ignored (end of life) |
169 | -jammy_mosquitto: needs-triage |
170 | -esm-apps/jammy_mosquitto: needs-triage |
171 | +jammy_mosquitto: needed |
172 | +esm-apps/jammy_mosquitto: needed |
173 | kinetic_mosquitto: ignored (end of life, was needs-triage) |
174 | -lunar_mosquitto: needs-triage |
175 | -mantic_mosquitto: needs-triage |
176 | -devel_mosquitto: needs-triage |
177 | +lunar_mosquitto: needed |
178 | +mantic_mosquitto: not-affected (2.0.18-1) |
179 | +devel_mosquitto: not-affected (2.0.18-1) |
180 | diff --git a/active/CVE-2021-41039 b/active/CVE-2021-41039 |
181 | index 4d62d6e..94d63fb 100644 |
182 | --- a/active/CVE-2021-41039 |
183 | +++ b/active/CVE-2021-41039 |
184 | @@ -13,27 +13,27 @@ Notes: |
185 | Mitigation: |
186 | Bugs: |
187 | Priority: medium |
188 | -Discovered-by: |
189 | +Discovered-by: Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin |
190 | Assigned-to: gianz |
191 | CVSS: |
192 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] |
193 | |
194 | |
195 | Patches_mosquitto: |
196 | -upstream_mosquitto: needs-triage |
197 | -trusty/esm_mosquitto: needs-triage |
198 | +upstream_mosquitto: released (2.0.12) |
199 | +trusty/esm_mosquitto: not-affected (code not present) |
200 | trusty_mosquitto: ignored (end of standard support) |
201 | xenial_mosquitto: ignored (end of standard support) |
202 | -esm-apps/xenial_mosquitto: needs-triage |
203 | +esm-apps/xenial_mosquitto: not-affected (code-not-present) |
204 | bionic_mosquitto: ignored (end of standard support, was needs-triage) |
205 | -esm-apps/bionic_mosquitto: needs-triage |
206 | -focal_mosquitto: needs-triage |
207 | -esm-apps/focal_mosquitto: needs-triage |
208 | +esm-apps/bionic_mosquitto: not-affected (code-not-present) |
209 | +focal_mosquitto: needed |
210 | +esm-apps/focal_mosquitto: needed |
211 | hirsute_mosquitto: ignored (end of life) |
212 | impish_mosquitto: ignored (end of life) |
213 | -jammy_mosquitto: needs-triage |
214 | -esm-apps/jammy_mosquitto: needs-triage |
215 | +jammy_mosquitto: needed |
216 | +esm-apps/jammy_mosquitto: needed |
217 | kinetic_mosquitto: ignored (end of life, was needs-triage) |
218 | -lunar_mosquitto: needs-triage |
219 | -mantic_mosquitto: needs-triage |
220 | -devel_mosquitto: needs-triage |
221 | +lunar_mosquitto: not-affected (2.0.11-1.2) |
222 | +mantic_mosquitto: not-affected (2.0.18-1) |
223 | +devel_mosquitto: not-affected (2.0.18-1) |
224 | diff --git a/active/CVE-2023-0809 b/active/CVE-2023-0809 |
225 | index f901e17..854eccf 100644 |
226 | --- a/active/CVE-2023-0809 |
227 | +++ b/active/CVE-2023-0809 |
228 | @@ -11,23 +11,23 @@ Notes: |
229 | Mitigation: |
230 | Bugs: |
231 | Priority: medium |
232 | -Discovered-by: |
233 | +Discovered-by: Zhengjie Du |
234 | Assigned-to: gianz |
235 | CVSS: |
236 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM] |
237 | |
238 | Patches_mosquitto: |
239 | -upstream_mosquitto: needs-triage |
240 | +upstream_mosquitto: released (2.0.16) |
241 | trusty_mosquitto: ignored (end of standard support) |
242 | -trusty/esm_mosquitto: needs-triage |
243 | +trusty/esm_mosquitto: not-affected (code-not-present) |
244 | xenial_mosquitto: ignored (end of standard support) |
245 | -esm-apps/xenial_mosquitto: needs-triage |
246 | +esm-apps/xenial_mosquitto: not-affected (code-not-present) |
247 | bionic_mosquitto: ignored (end of standard support) |
248 | -esm-apps/bionic_mosquitto: needs-triage |
249 | -focal_mosquitto: needs-triage |
250 | -esm-apps/focal_mosquitto: needs-triage |
251 | -jammy_mosquitto: needs-triage |
252 | -esm-apps/jammy_mosquitto: needs-triage |
253 | -lunar_mosquitto: needs-triage |
254 | -mantic_mosquitto: needs-triage |
255 | -devel_mosquitto: needs-triage |
256 | +esm-apps/bionic_mosquitto: not-affected (code-not-present) |
257 | +focal_mosquitto: needed |
258 | +esm-apps/focal_mosquitto: needed |
259 | +jammy_mosquitto: needed |
260 | +esm-apps/jammy_mosquitto: needed |
261 | +lunar_mosquitto: needed |
262 | +mantic_mosquitto: not-affected (2.0.18-1) |
263 | +devel_mosquitto: not-affected (2.0.18-1) |
264 | diff --git a/active/CVE-2023-28366 b/active/CVE-2023-28366 |
265 | index 1779dc6..31d6115 100644 |
266 | --- a/active/CVE-2023-28366 |
267 | +++ b/active/CVE-2023-28366 |
268 | @@ -15,26 +15,28 @@ Description: |
269 | function. |
270 | Ubuntu-Description: |
271 | Notes: |
272 | + gianz> Memory leak requiring refactoring of core functions to be fixed. |
273 | + gianz> Applying the patches to versions < 2.0.0 is likely to cause regressions. |
274 | Mitigation: |
275 | Bugs: |
276 | Priority: medium |
277 | -Discovered-by: |
278 | +Discovered-by: Mischa Bachmann |
279 | Assigned-to: gianz |
280 | CVSS: |
281 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] |
282 | |
283 | Patches_mosquitto: |
284 | -upstream_mosquitto: needs-triage |
285 | +upstream_mosquitto: released (2.0.16) |
286 | trusty_mosquitto: ignored (end of standard support) |
287 | -trusty/esm_mosquitto: needs-triage |
288 | +trusty/esm_mosquitto: not-affected (code-not-present) |
289 | xenial_mosquitto: ignored (end of standard support) |
290 | -esm-apps/xenial_mosquitto: needs-triage |
291 | +esm-apps/xenial_mosquitto: ignored (backporting risks regressions) |
292 | bionic_mosquitto: ignored (end of standard support) |
293 | -esm-apps/bionic_mosquitto: needs-triage |
294 | -focal_mosquitto: needs-triage |
295 | -esm-apps/focal_mosquitto: needs-triage |
296 | -jammy_mosquitto: needs-triage |
297 | -esm-apps/jammy_mosquitto: needs-triage |
298 | -lunar_mosquitto: needs-triage |
299 | -mantic_mosquitto: needs-triage |
300 | -devel_mosquitto: needs-triage |
301 | +esm-apps/bionic_mosquitto: ignored (backporting risks regressions) |
302 | +focal_mosquitto: ignored (backporting risks regressions) |
303 | +esm-apps/focal_mosquitto: ignored (backporting risks regressions) |
304 | +jammy_mosquitto: needed |
305 | +esm-apps/jammy_mosquitto: needed |
306 | +lunar_mosquitto: needed |
307 | +mantic_mosquitto: not-affected (2.0.18-1) |
308 | +devel_mosquitto: not-affected (2.0.18-1) |
309 | diff --git a/active/CVE-2023-3592 b/active/CVE-2023-3592 |
310 | index f91290d..345f181 100644 |
311 | --- a/active/CVE-2023-3592 |
312 | +++ b/active/CVE-2023-3592 |
313 | @@ -18,17 +18,17 @@ CVSS: |
314 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] |
315 | |
316 | Patches_mosquitto: |
317 | -upstream_mosquitto: needs-triage |
318 | +upstream_mosquitto: released (2.0.16) |
319 | trusty_mosquitto: ignored (end of standard support) |
320 | -trusty/esm_mosquitto: needs-triage |
321 | +trusty/esm_mosquitto: not-affected (code-not-present) |
322 | xenial_mosquitto: ignored (end of standard support) |
323 | -esm-apps/xenial_mosquitto: needs-triage |
324 | +esm-apps/xenial_mosquitto: not-affected (code-not-present) |
325 | bionic_mosquitto: ignored (end of standard support) |
326 | -esm-apps/bionic_mosquitto: needs-triage |
327 | -focal_mosquitto: needs-triage |
328 | -esm-apps/focal_mosquitto: needs-triage |
329 | -jammy_mosquitto: needs-triage |
330 | -esm-apps/jammy_mosquitto: needs-triage |
331 | -lunar_mosquitto: needs-triage |
332 | -mantic_mosquitto: needs-triage |
333 | -devel_mosquitto: needs-triage |
334 | +esm-apps/bionic_mosquitto: not-affected (code-not-present) |
335 | +focal_mosquitto: needed |
336 | +esm-apps/focal_mosquitto: needed |
337 | +jammy_mosquitto: needed |
338 | +esm-apps/jammy_mosquitto: needed |
339 | +lunar_mosquitto: needed |
340 | +mantic_mosquitto: not-affected (2.0.18-1) |
341 | +devel_mosquitto: not-affected (2.0.18-1) |
342 | diff --git a/active/CVE-2023-5632 b/active/CVE-2023-5632 |
343 | index d009dbb..1d372d3 100644 |
344 | --- a/active/CVE-2023-5632 |
345 | +++ b/active/CVE-2023-5632 |
346 | @@ -13,26 +13,27 @@ Description: |
347 | fixed in 2.0.6 |
348 | Ubuntu-Description: |
349 | Notes: |
350 | + gianz> Tested in Focal and below. Unable to reproduce the bug. |
351 | Mitigation: |
352 | Bugs: |
353 | Priority: medium |
354 | -Discovered-by: |
355 | +Discovered-by: Przemybsław Zygmunt |
356 | Assigned-to: gianz |
357 | CVSS: |
358 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] |
359 | |
360 | Patches_mosquitto: |
361 | -upstream_mosquitto: released (2.0.7-1) |
362 | +upstream_mosquitto: released (2.0.6) |
363 | trusty_mosquitto: ignored (end of standard support) |
364 | -trusty/esm_mosquitto: needs-triage |
365 | +trusty/esm_mosquitto: not-affected (code-not-present) |
366 | xenial_mosquitto: ignored (end of standard support) |
367 | -esm-apps/xenial_mosquitto: needs-triage |
368 | +esm-apps/xenial_mosquitto: not-affected (code-not-present) |
369 | bionic_mosquitto: ignored (end of standard support) |
370 | -esm-apps/bionic_mosquitto: needs-triage |
371 | -focal_mosquitto: needs-triage |
372 | -esm-apps/focal_mosquitto: needs-triage |
373 | +esm-apps/bionic_mosquitto: not-affected (code-not-present) |
374 | +focal_mosquitto: not-affected (code-not-present) |
375 | +esm-apps/focal_mosquitto: not-affected (code-not-present) |
376 | jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
377 | -esm-apps/jammy_mosquitto: not-affected |
378 | -lunar_mosquitto: not-affected |
379 | -mantic_mosquitto: not-affected |
380 | -devel_mosquitto: not-affected |
381 | +esm-apps/jammy_mosquitto: not-affected (2.0.11-1ubuntu1) |
382 | +lunar_mosquitto: not-affected (2.0.11-1.2) |
383 | +mantic_mosquitto: not-affected (2.0.18-1) |
384 | +devel_mosquitto: not-affected (2.0.18-1) |
lgtm, thanks