We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello, While looking for public security issue for this library I found that there is no CVE assigned to it and actually no CPE (product identifier).
We can still find some evidence that there has been at least one security report, which was later disclosed.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=543626 https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=277237
While studying the security report, and the actual code in the mainline, I dont find any evidence that the issue is actually fixed.
There report actually describe two issues. Awaiting some more feedback before creating specific bugs.
The text was updated successfully, but these errors were encountered:
Check for msgid data length in incoming packets #1084
a7f0e9a
Thanks for pointing this out. I thought I'd fixed the packet data handling previously but evidently not. I've added a fix now.
The second part is not actually achievable in practise.
Sorry, something went wrong.
package/paho-mqtt-c: security bump to version 1.3.9
9dad1ef
Old security issue not fixed: eclipse/paho.mqtt.c#1084 https://github.com/eclipse/paho.mqtt.c/milestone/16?closed=1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
0f35d6d
Old security issue not fixed: eclipse/paho.mqtt.c#1084 https://github.com/eclipse/paho.mqtt.c/milestone/16?closed=1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9dad1ef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No branches or pull requests
Hello,
While looking for public security issue for this library I found that there is no CVE assigned to it and actually no CPE (product identifier).
We can still find some evidence that there has been at least one security report, which was later disclosed.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=543626
https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=277237
While studying the security report, and the actual code in the mainline, I dont find any evidence that the issue is actually fixed.
There report actually describe two issues. Awaiting some more feedback before creating specific bugs.
The text was updated successfully, but these errors were encountered: