eclipse/mosquitto
1
0
Fork 0
mirror of https://github.com/eclipse/mosquitto.git synced 2025-05-08 16:52:13 +08:00
Code Issues Releases Wiki Activity

Update CVE information.

Browse Source
This commit is contained in:
Roger Light 2021-04-10 08:28:41 +01:00
parent 34522913ea
commit d5ecd9f5aa
3 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.txt
View File

@ -2,10 +2,9 @@
==================
Security:
- CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
most likely resulting in a segfault.
Affects versions 2.0.0 to 2.0.9 inclusive.
Broker:

3
www/pages/security.md
View File

@ -19,7 +19,7 @@ follow the steps on [Eclipse Security] page to report it.
Listed with most recent first. Further information on security related issues
can be found in the [security category].
* April 2021: CVE-xxxx-xxxx Affecting versions **2.0.0** to **2.0.9**
* April 2021: [CVE-2021-28166] Affecting versions **2.0.0** to **2.0.9**
inclusive, fixed in **2.0.10**.
* December 2020: Running mosquitto_passwd with the following arguments only
`mosquitto_passwd -b password_file username password` would cause the
@ -69,6 +69,7 @@ can be found in the [security category].
[Eclipse Security]: https://www.eclipse.org/security/
[security category]: /blog/categories/security/
[CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
[CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779
[CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778
[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145

3
www/posts/2021/04/version-2-0-10-released.md
View File

@ -13,7 +13,7 @@ Versions 2.0.10 of Mosquitto has been released. This is a security and bugfix
release.
# Security
- CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
- [CVE-2021-23980]: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
@ -41,6 +41,7 @@ release.
- Fix CMake cross compile builds not finding opensslconf.h. Closes [#2160].
- Fix build on Solaris non-sparc. Closes [#2136].
[CVE-2021-23980]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
[#2134]: https://github.com/eclipse/mosquitto/issues/2134
[#2136]: https://github.com/eclipse/mosquitto/issues/2136
[#2152]: https://github.com/eclipse/mosquitto/issues/2152