Ubuntu
mosquitto package

CVE-2017-7651 and CVE-2017-7652

  1. Bionic (18.04)
  2. Bug #1752591
Bug #1752591 reported by Matthew Treinish
274
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Artful
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

The current available version of mosquitto pacakged in ubuntu (for all versions) is vulnerable to 2 cve's announced recently, including one for a potential DOS attach from unauthorized users. More details on this can be found at: https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ which includes links to patches for the CVEs. Or we can just update to 1.4.15 which should be backwards compatible.

Tags: patch

CVE References

Revision history for this message
Matthew Treinish (treinish) wrote :

Marked as public security because the CVEs have been disclosed

information type: Private Security → Public Security
Revision history for this message
Matthew Treinish (treinish) wrote :

Debdiff from Emmet for fixing CVE 2017-7651 for Artful

Revision history for this message
Matthew Treinish (treinish) wrote :

Debdiff from Emmet for fixing CVE 2017-7651 for Xenial

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "mosquitto_1.4.12-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Emmet Hikory (persia) wrote :

For clarity, the current debdiffs only address CVE 2017-7651, and I probably didn't add the right metadata to the changelog. I did not find the patches for CVE 2017-7652 to be trivial to port to the versions of mosquitto in Ubuntu artful or xenial. Bionic is not vulnerable to either, as a result of a recent sync from Debian. The use case I am supporting is largely unconcerned about the risk from CVE 2017-7652, so I am unlikely to put any effort into backporting that fix (and would prefer a separation of resolution for 7651 vs. 7652 unless if feels really easy to someone else (as 7651 is an immediate issue that likely affects xenial and bionic users).

Anyone who has a current understanding of the correct metadata to put in debian/changelog is welcome to replace my debdiffs with corrected ones, including removal of my name from the changes if preferred (or leaving my name despite debian/changelog modification, if blaming me feels better at the time).

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mosquitto (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #2 and #3. I added the bug number to the changelog and adjusted the artful versioning.

Packages are building now and will be released as security updates today.

Thanks!

Changed in mosquitto (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in mosquitto (Ubuntu Xenial):
status: New → Fix Committed
Changed in mosquitto (Ubuntu Artful):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.12-1ubuntu0.1

---------------
mosquitto (1.4.12-1ubuntu0.1) artful-security; urgency=medium

  * Add upstream patch for CVE 2017-7651 (LP: #1752591)

 -- Emmet Hikory <email address hidden> Thu, 01 Mar 2018 09:24:46 -0500

Changed in mosquitto (Ubuntu Artful):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mosquitto - 1.4.8-1ubuntu0.16.04.3

---------------
mosquitto (1.4.8-1ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: upstream patch for CVE 2017-7651 (LP: #1752591)

 -- Emmet Hikory <email address hidden> Thu, 01 Mar 2018 09:34:49 -0500

Changed in mosquitto (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Emmet Hikory (persia) wrote :

Thanks for the cleanup Marc :)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.