Bastian Germann pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ba2a6c06 by Bastian Germann at 2026-05-11T19:43:01+02:00
Add some mongoose CVEs affecting swupdate
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -80116,6 +80116,7 @@ CVE-2025-65503 (Use after free in endpoint destructors
in Redboltz async_mqtt 10
NOT-FOR-US: Redboltz async_mqtt
CVE-2025-65502 (Null pointer dereference in add_ca_certs() in Cesanta Mongoose
before ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2025.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/3306
NOTE:
https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2
(7.20)
CVE-2025-65501 (Null pointer dereference in coap_dtls_info_callback() in OISM
libcoap ...)
@@ -314142,6 +314143,7 @@ CVE-2023-33934 (Improper Input Validation
vulnerability in Apache Software Found
NOTE: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
CVE-2023-2905 (Due to a failure in validating the length of a provided
MQTT_CMD_PUBLI ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2024.12+dfsg-1
CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with
@MultipartConfig ...)
- undertow 2.3.18-1 (bug #1054893)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689
@@ -320281,6 +320283,7 @@ CVE-2023-34203 (In Progress OpenEdge OEM (OpenEdge
Management) and OEE (OpenEdge
NOT-FOR-US: Progress OpenEdge OEM
CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests
containing ne ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2024.12+dfsg-1
NOTE:
https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f
(7.10)
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2023-34021 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
Andy Moy ...)
@@ -490773,16 +490776,19 @@ CVE-2021-26531
RESERVED
CVE-2021-26530 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
(compile ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2022.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/1204
NOTE:
https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994
(7.1)
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2021-26529 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
and 6.7- ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2022.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/1203
NOTE:
https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994
(7.1)
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2021-26528 (The mg_http_serve_file function in Cesanta Mongoose HTTP
server 7.0 is ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2022.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/1203
NOTE:
https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994
(7.1)
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
@@ -524165,6 +524171,7 @@ CVE-2020-25888
RESERVED
CVE-2020-25887 (Buffer overflow in mg_resolve_from_hosts_file in Mongoose
6.18, when r ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2022.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/1140
CVE-2020-25886
RESERVED
@@ -524500,6 +524507,7 @@ CVE-2020-25757 (A lack of input validation and access
controls in Lua CGIs on D-
NOT-FOR-US: D-Link
CVE-2020-25756 (A buffer overflow vulnerability exists in the
mg_get_http_header funct ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2022.12+dfsg-1
NOTE: https://github.com/cesanta/mongoose/issues/1135
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2020-25755 (An issue was discovered on Enphase Envoy R3.x and D4.x (and
other curr ...)
@@ -586772,6 +586780,7 @@ CVE-2019-19308 (In text_to_glyphs in
sushi-font-widget.c in gnome-font-viewer 3.
NOTE: Crash in GUI tool, no security impact
CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta
Mongoose 6. ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2021.04-1
NOTE: https://github.com/cesanta/mongoose/issues/1055
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows
XSS via m ...)
@@ -608467,6 +608476,7 @@ CVE-2019-13504 (There is an out-of-bounds read in
Exiv2::MrwImage::readMetadata
NOTE:
https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff
CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based
buffer o ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2021.04-1
NOTE: https://github.com/cesanta/mongoose/pull/1035
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2019-13502
@@ -610072,6 +610082,7 @@ CVE-2019-12952
RESERVED
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The
parse_mqtt() func ...)
- mongoose <not-affected> (Fixed before or with initial upload)
+ - swupdate 2021.04-1
NOTE:
https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb
(6.15)
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the
sources/items. ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a6c06737b88b6063da2b52e0eaec93b208869
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba2a6c06737b88b6063da2b52e0eaec93b208869
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
