Security: - Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and Mosquitto will exit. https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt
Lucas: this is a security bug, we're expected to bump in a timely manner. Do you still wish to proxy-maintain this package?
(In reply to Virgil Dupras from comment #1) > Lucas: this is a security bug, we're expected to bump in a timely manner. Do > you still wish to proxy-maintain this package? Considering that it took roughly 5 months for 656572 to be closed, what would you consider "in a timely manner"? :D Apparently, proxy-maintainers can only send patches via the mailing list or via github now, so I opened a pull request on there, https://github.com/gentoo/gentoo/pull/10221
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afdf30764f85a99b4de9eaa6fb72bc473350dbd9 commit afdf30764f85a99b4de9eaa6fb72bc473350dbd9 Author: Lucas Ramage <ramage.lucas@protonmail.com> AuthorDate: 2018-10-25 00:57:11 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-26 00:34:41 +0000 app-misc/mosquitto: bump to version 1.5.3 Closes: https://bugs.gentoo.org/668436 Signed-off-by: Lucas Ramage <ramage.lucas@protonmail.com> Package-Manager: Portage-2.3.49, Repoman-2.3.11 Closes: https://github.com/gentoo/gentoo/pull/10221 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> app-misc/mosquitto/Manifest | 1 + app-misc/mosquitto/mosquitto-1.5.3.ebuild | 101 ++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+)
Oops, I forgot to fix the git commit's comment which had the "Closes:" tag. Re-opening ticket. Lucas: We're not supposed to close security ticket ourselves. Members of the security team take care of their bugs' workflow. I tried to see through CVE info which versions are vulnerable so that we can see whether a stablereq is required, but the link to the CVE provided at https://mosquitto.org/blog/2018/09/security-advisory-cve-2018-12543/ points to an empty page. So, hum, since this bug hasn't been classified by the security team yet, I'll just wait.
@arches, please stabilize.
amd64 stable
x86 stable
arm stable
GLSA Vote: No Thank you all for you work. Closing as [noglsa].