Bug 255229 - net/mosquitto: CVE-2021-23980
Summary: net/mosquitto: CVE-2021-23980
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-19 16:45 UTC by daniel.engberg.lists
Modified: 2021-04-19 16:56 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (joe)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description daniel.engberg.lists 2021-04-19 16:45:43 UTC
Security:
- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a
  malformed CONNACK message to the broker a NULL pointer dereference occurred,
  most likely resulting in a segfault.
  Affects versions 2.0.0 to 2.0.9 inclusive.

https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt

I think the easiest solution would be bumping it to 2.0.10
Comment 1 Li-Wen Hsu freebsd_committer 2021-04-19 16:56:47 UTC
And we need an entry in vuxml.