[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-0222 and associate mqtt-client

Sun, 28 Feb 2021 21:40:27 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c855b86 by Salvatore Bonaccorso at 2021-03-01T06:37:58+01:00
Update information on CVE-2019-0222 and associate mqtt-client

activemq upstream included the mqtt-client library in the lib/extra
directory but in Debian we use the external src:mqtt-client accordngly.

The history is a bit involving at at first activemq disabled MQTT
support, later on enabled it and depending on the mqtt-client provided
packages.

Associate now the CVE with mqtt-client where the issue got fixed.

Thanks: Abhijith PA for spotting the issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -155264,11 +155264,13 @@ CVE-2019-0223 (While investigating bug PROTON-2014, 
we discovered that under som
        NOTE: not present in the jessie version. That part do not seem to be 
essential for
        NOTE: the package to be vulnerable.
 CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT 
frame ca ...)
-       - activemq 5.15.9-1 (bug #925964)
-       [buster] - activemq <no-dsa> (Minor issue)
-       [stretch] - activemq <no-dsa> (Minor issue)
+       - activemq 5.15.9-1 (bug #925964; unimportant)
        [jessie] - activemq <not-affected> (MQTT support not enabled)
+       - mqtt-client 1.16-1
        NOTE: 
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
+       NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 
(d/patches/exclude_mqtt.diff)
+       NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external 
mqtt-client.
+       NOTE: 
https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855
 (mqtt-client-project-1.15)
 CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 
8.5.0  ...)
        {DSA-4596-1 DLA-1883-1 DLA-1810-1}
        - tomcat9 9.0.16-4 (bug #929895)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to