Your message dated Fri, 23 Nov 2018 21:39:29 +0000 with message-id <e1gqjaf-00012p...@fasolo.debian.org> and subject line Bug#911266: fixed in mosquitto 1.5.4-1 has caused the Debian Bug report #911266, regarding mosquitto: CVE-2017-7653 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 911266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911266 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mosquitto Version: 1.4.10-1 Severity: grave Tags: patch security upstream Forwarded: https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113 Hi, The following vulnerability was published for mosquitto. Planned to be fixed in a DSA, and needs to be fixed for buster as reason for the RC severity filling. CVE-2017-7653[0]: | The Eclipse Mosquitto broker up to version 1.4.15 does not reject | strings that are not valid UTF-8. A malicious client could cause other | clients that do reject invalid UTF-8 strings to disconnect themselves | from the broker by sending a topic string which is not valid UTF-8, | and so cause a denial of service for the clients. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7653 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653 [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113 [2] https://github.com/eclipse/mosquitto/commit/729a09310a7a56fbe5933b70b4588049da1a42b4 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mosquitto Source-Version: 1.5.4-1 We believe that the bug you reported is fixed in the latest version of mosquitto, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 911...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roger A. Light <ro...@atchoo.org> (supplier of updated mosquitto package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Nov 2018 13:34:59 +0000 Source: mosquitto Binary: mosquitto mosquitto-dev libmosquitto1 libmosquitto-dev libmosquittopp1 libmosquittopp-dev mosquitto-clients Architecture: source Version: 1.5.4-1 Distribution: unstable Urgency: medium Maintainer: Roger A. Light <ro...@atchoo.org> Changed-By: Roger A. Light <ro...@atchoo.org> Description: libmosquitto-dev - MQTT version 3.1/3.1.1 client library, development files libmosquitto1 - MQTT version 3.1/3.1.1 client library libmosquittopp-dev - MQTT version 3.1 client C++ library, development files libmosquittopp1 - MQTT version 3.1/3.1.1 client C++ library mosquitto - MQTT version 3.1/3.1.1 compatible message broker mosquitto-clients - Mosquitto command line MQTT clients mosquitto-dev - Development files for Mosquitto Closes: 901424 911104 911265 911266 Changes: mosquitto (1.5.4-1) unstable; urgency=medium . * New upstream release (Closes: #911104). - Fixes CVE-2017-7654 (Closes: #911265) - Fixes CVE-2017-7653 (Closes: #911266) * Remove no longer needed patches. Some are integrated into upstream, others have been replaced with changes in rules. - async_dns.patch - build-timestamp.patch - disable-in-tree-uthash.patch - enable-libwrap.patch - enable-websockets.patch - fix-prefix.patch - hurd-errno.patch - libdir.patch - nostrip.patch * Copyright fix - src/uthash.h -> src/deps/uthash.h * Update symbols files with new additions. * Remove debian/mosquitto.prerm - Calls to invoke-rc.d to stop mosquitto will be inserted automagically by debhelper. * Stop removing the mosquitto user in postrm. - This is not safe since there might still be logs (and other files?) around owned by the uid, so we don't want it reused for a new user. * Add build dependency on libsystemd-dev. * Enable systemd build support. * Ship the mosquitto.service file (with sd-notify support) * Drop -dbg packages and do -dbgsym migration. * libmosquito{,pp}-dev: ship libmosquitto{,pp}.pc respectively. * Remove unused build dependency on python-all. (Closes: #901424). * Bump standards version to 4.2.1, no changes needed. * Bumped dh compat level to 11. * Add upstream/metadata. Checksums-Sha1: 828c141c592f5b79fce2a22b2c01b75185719471 2540 mosquitto_1.5.4-1.dsc 52d9624afc4fca6c502327c6c64ea9ddedb5ea2f 430602 mosquitto_1.5.4.orig.tar.gz 88705e5a7daeef1c8e48b61565048ff2e41540e6 833 mosquitto_1.5.4.orig.tar.gz.asc 4a4e2b9ba65bb6c48c62312e6f16b5d45749b6d3 15788 mosquitto_1.5.4-1.debian.tar.xz e2f96c2d4f290ec6f0551fd7cd7a0036fe78d064 8539 mosquitto_1.5.4-1_amd64.buildinfo Checksums-Sha256: 68ea1e310ac8483c9c77fb32dfe5f70ee7787584e8e8970a865a2c720e089531 2540 mosquitto_1.5.4-1.dsc 5fd7f3454fd6d286645d032bc07f44a1c8583cec02ef2422c9eb32e0a89a9b2f 430602 mosquitto_1.5.4.orig.tar.gz f89e6035289b0153981d567148e4fd45787456ee2c911a37e416699fc8d48f39 833 mosquitto_1.5.4.orig.tar.gz.asc fa854aec8b117919b613646f27aa1da8ea1ea188f197dc4ed036defcf21bd7ce 15788 mosquitto_1.5.4-1.debian.tar.xz 7c4186656040a9786cec628b4a86328fabfd257ebfc8bce524e67bebe26d226b 8539 mosquitto_1.5.4-1_amd64.buildinfo Files: e7a847edf0b1f36c4f9114d9c8308005 2540 net optional mosquitto_1.5.4-1.dsc 4fe8eb707777eb4bfcb5cd432c30a467 430602 net optional mosquitto_1.5.4.orig.tar.gz be9cd853ea938d88013b17129f1bed4f 833 net optional mosquitto_1.5.4.orig.tar.gz.asc 75be8fa6a7cc9ea8d88fbedb46fc319d 15788 net optional mosquitto_1.5.4-1.debian.tar.xz 94c0e2e5e02d33b50b3560a989cae5a9 8539 net optional mosquitto_1.5.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAlv4brkACgkQC8R9xk0T UwYOJRAAqFLyWsbH+UDHQvrVW4ZntZQ0rLDFAvQSXarCQhtvxj6aw3th35spCM6m j3s70Ndt+qyZKLTJ6xmvcwz798LEVpFlXW+/oYmG71X8ciYKFGD40pi+B4XyJ/4k Cegb7s/WYAxny7/4kHHjGGV21SD+owRVoxnBdFD1ukw1/L/7MTxqpsWPpUeeoBpP 7Eg8QK/VVT1Z3ayZv7BrAaIJHQGd1Lu/XdzagYh8KncBOhUoBvLFYxuzeP8UGZ7/ ebC08/WYYcfUHZAGDA4RrSRUJ9I7ECZFvaoVlrBCRfjpPKj2z3B8ySK8cYXCY4WS lndg0mfXbLOjJuhFAQcswSLRDHtdK7GSgFFf1HxgoYtlivVUbgbwa9YnAd52+xO3 DmEppNGGtLqju2TLJame1U185eb1DaLmxNCTV5ntfNtFEIAAoDmwfIiec7ZpZtGA JfyKy5AP2mrDUayci8QonR77dQCaR+UZ4fPVBGCn1K6sY0FVpnW/f4OAhokibOAP UIUk55BEVyPkvFUtaKn9/dMzFcz6TvVo8JoKA++evDtlgCt4VumNtapkgBdOjL9e xTmkAALKE8Jzq2H6mRUPBjEa73rY9qNiUsbSZdIfcBBXQ2WG8JgY3dUFPptApmSh FF/kY/3lBAWltS/KngWBKr/d5unuUoN8R1CWbEgGY5RtHOx/gTE= =MkLN -----END PGP SIGNATURE-----
--- End Message ---
