Bug 827962 (CVE-2021-41039)

Summary:	<app-misc/mosquitto-2.0.12: DoS via malicious client (CVE-2021-41039)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mattst88
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-12-02 00:47:19 UTC

CVE-2021-41039:

In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

Please cleanup.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-02 01:43:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b445ab1bfd4a8221c697e535885f17c0a7b36853

commit b445ab1bfd4a8221c697e535885f17c0a7b36853
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-02 01:43:03 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-02 01:43:33 +0000

    app-misc/mosquitto: Drop old
    
    Bug: https://bugs.gentoo.org/827962
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 app-misc/mosquitto/Manifest                        |   3 -
 ...2.0.11-Fix-installation-using-WITH_TLS-no.patch |  29 -----
 app-misc/mosquitto/mosquitto-1.6.15.ebuild         | 114 ------------------
 app-misc/mosquitto/mosquitto-2.0.11.ebuild         | 128 ---------------------
 app-misc/mosquitto/mosquitto-2.0.13.ebuild         | 122 --------------------
 5 files changed, 396 deletions(-)

Comment 2 John Helmert III archtester

2021-12-02 03:17:27 UTC

Thank you! Low impact so no GLSA, closing.