For clarity, the current debdiffs only address CVE 2017-7651, and I probably didn't add the right metadata to the changelog. I did not find the patches for CVE 2017-7652 to be trivial to port to the versions of mosquitto in Ubuntu artful or xenial. Bionic is not vulnerable to either, as a result of a recent sync from Debian. The use case I am supporting is largely unconcerned about the risk from CVE 2017-7652, so I am unlikely to put any effort into backporting that fix (and would prefer a separation of resolution for 7651 vs. 7652 unless if feels really easy to someone else (as 7651 is an immediate issue that likely affects xenial and bionic users).
Anyone who has a current understanding of the correct metadata to put in debian/changelog is welcome to replace my debdiffs with corrected ones, including removal of my name from the changes if preferred (or leaving my name despite debian/changelog modification, if blaming me feels better at the time). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752591 Title: CVE-2017-7651 and CVE-2017-7652 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1752591/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
