http://bugzilla.opensuse.org/show_bug.cgi?id=1083912 Bug ID: 1083912 Summary: VUL-0: CVE-2017-7652: mosquitto: If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other URL: https://smash.suse.de/issue/201130/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mrueckert@suse.com Reporter: kbabioch@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2017-7652 A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652. If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place. The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7652 The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7652 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7652.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652 -- You are receiving this mail because: You are on the CC list for the bug.