- Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.
Lucas: this is a security bug, we're expected to bump in a timely manner. Do you still wish to proxy-maintain this package?
(In reply to Virgil Dupras from comment #1)
> Lucas: this is a security bug, we're expected to bump in a timely manner. Do
> you still wish to proxy-maintain this package?
Considering that it took roughly 5 months for 656572 to be closed, what would you consider "in a timely manner"? :D
Apparently, proxy-maintainers can only send patches via the mailing list or via github now, so I opened a pull request on there,
The bug has been closed via the following commit(s):
Author: Lucas Ramage <email@example.com>
AuthorDate: 2018-10-25 00:57:11 +0000
Commit: Virgil Dupras <firstname.lastname@example.org>
CommitDate: 2018-10-26 00:34:41 +0000
app-misc/mosquitto: bump to version 1.5.3
Signed-off-by: Lucas Ramage <email@example.com>
Package-Manager: Portage-2.3.49, Repoman-2.3.11
Signed-off-by: Virgil Dupras <firstname.lastname@example.org>
app-misc/mosquitto/Manifest | 1 +
app-misc/mosquitto/mosquitto-1.5.3.ebuild | 101 ++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
Oops, I forgot to fix the git commit's comment which had the "Closes:" tag. Re-opening ticket.
Lucas: We're not supposed to close security ticket ourselves. Members of the security team take care of their bugs' workflow.
I tried to see through CVE info which versions are vulnerable so that we can see whether a stablereq is required, but the link to the CVE provided at https://mosquitto.org/blog/2018/09/security-advisory-cve-2018-12543/ points to an empty page. So, hum, since this bug hasn't been classified by the security team yet, I'll just wait.
@arches, please stabilize.
GLSA Vote: No
Thank you all for you work.
Closing as [noglsa].