[Secure-testing-team] Bug#865959: mosquitto: CVE-2017-9868: mosquitto.db can be read by all
Salvatore Bonaccorso
carnil at debian.org
Mon Jun 26 05:35:05 UTC 2017
Source: mosquitto
Version: 1.3.4-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eclipse/mosquitto/issues/468
Hi,
the following vulnerability was published for mosquitto.
CVE-2017-9868[0]:
| In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is
| world readable, which allows local users to obtain sensitive MQTT topic
| information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
[1] https://github.com/eclipse/mosquitto/issues/468
Regards,
Salvatore
More information about the Secure-testing-team
mailing list