All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
@ 2021-03-14 16:01 Pierre-Jean Texier
  2021-03-14 16:30 ` Yann E. MORIN
  2021-03-20 19:12 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Pierre-Jean Texier @ 2021-03-14 16:01 UTC (permalink / raw)
  To: buildroot

- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
  (compiled with OpenSSL support) is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
  and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
  attack via connection request after exhausting memory pool.
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
  7.0 is vulnerable to remote OOB write attack via connection request after exhausting
  memory pool.

See https://github.com/cesanta/mongoose/releases/tag/7.2

Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
---
 package/mongoose/mongoose.hash | 2 +-
 package/mongoose/mongoose.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index d9ed76c4ac..809f160cf0 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b  mongoose-7.1.tar.gz
+sha256  8c5024a4e5b5a0c7fdae3c24ebc68e2b3ccfaba08cf25c2e76fc7f14f92fd4a5  mongoose-7.2.tar.gz
 sha256  9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05  LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 0974c76446..2c5df1d0cc 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MONGOOSE_VERSION = 7.1
+MONGOOSE_VERSION = 7.2
 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
 MONGOOSE_LICENSE = GPL-2.0
 MONGOOSE_LICENSE_FILES = LICENSE
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
  2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
@ 2021-03-14 16:30 ` Yann E. MORIN
  2021-03-20 19:12 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-03-14 16:30 UTC (permalink / raw)
  To: buildroot

Pierre-Jean, All,

On 2021-03-14 17:01 +0100, Pierre-Jean Texier spake thusly:
> - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
>   (compiled with OpenSSL support) is vulnerable to remote OOB write attack via
>   connection request after exhausting memory pool.
> - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
>   and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
>   attack via connection request after exhausting memory pool.
> - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
>   7.0 is vulnerable to remote OOB write attack via connection request after exhausting
>   memory pool.
> 
> See https://github.com/cesanta/mongoose/releases/tag/7.2
> 
> Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/mongoose/mongoose.hash | 2 +-
>  package/mongoose/mongoose.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
> index d9ed76c4ac..809f160cf0 100644
> --- a/package/mongoose/mongoose.hash
> +++ b/package/mongoose/mongoose.hash
> @@ -1,3 +1,3 @@
>  # Locally computed:
> -sha256  f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b  mongoose-7.1.tar.gz
> +sha256  8c5024a4e5b5a0c7fdae3c24ebc68e2b3ccfaba08cf25c2e76fc7f14f92fd4a5  mongoose-7.2.tar.gz
>  sha256  9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05  LICENSE
> diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
> index 0974c76446..2c5df1d0cc 100644
> --- a/package/mongoose/mongoose.mk
> +++ b/package/mongoose/mongoose.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -MONGOOSE_VERSION = 7.1
> +MONGOOSE_VERSION = 7.2
>  MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
>  MONGOOSE_LICENSE = GPL-2.0
>  MONGOOSE_LICENSE_FILES = LICENSE
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
  2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
  2021-03-14 16:30 ` Yann E. MORIN
@ 2021-03-20 19:12 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-20 19:12 UTC (permalink / raw)
  To: buildroot

>>>>> "Pierre-Jean" == Pierre-Jean Texier <texier.pj2@gmail.com> writes:

 > - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
 >   (compiled with OpenSSL support) is vulnerable to remote OOB write attack via
 >   connection request after exhausting memory pool.
 > - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
 >   and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
 >   attack via connection request after exhausting memory pool.
 > - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
 >   7.0 is vulnerable to remote OOB write attack via connection request after exhausting
 >   memory pool.

 > See https://github.com/cesanta/mongoose/releases/tag/7.2

Committed to 2021.02.x, thanks.

2020.02.x / 2020.11.x uses 6.x, but without mbedtls, so they are not
affected.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-20 19:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
2021-03-14 16:30 ` Yann E. MORIN
2021-03-20 19:12 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.