| Bug ID | 1083912 |
|---|---|
| Summary | VUL-0: CVE-2017-7652: mosquitto: If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.0 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/201130/ |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | mrueckert@suse.com |
| Reporter | kbabioch@suse.com |
| QA Contact | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
CVE-2017-7652 A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652. If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place. The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7652 The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7652 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7652.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652