* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
@ 2021-03-14 16:01 Pierre-Jean Texier
2021-03-14 16:30 ` Yann E. MORIN
2021-03-20 19:12 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Pierre-Jean Texier @ 2021-03-14 16:01 UTC (permalink / raw)
To: buildroot
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
(compiled with OpenSSL support) is vulnerable to remote OOB write attack via
connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
attack via connection request after exhausting memory pool.
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
7.0 is vulnerable to remote OOB write attack via connection request after exhausting
memory pool.
See https://github.com/cesanta/mongoose/releases/tag/7.2
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
---
package/mongoose/mongoose.hash | 2 +-
package/mongoose/mongoose.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index d9ed76c4ac..809f160cf0 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b mongoose-7.1.tar.gz
+sha256 8c5024a4e5b5a0c7fdae3c24ebc68e2b3ccfaba08cf25c2e76fc7f14f92fd4a5 mongoose-7.2.tar.gz
sha256 9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05 LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 0974c76446..2c5df1d0cc 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@
#
################################################################################
-MONGOOSE_VERSION = 7.1
+MONGOOSE_VERSION = 7.2
MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
MONGOOSE_LICENSE = GPL-2.0
MONGOOSE_LICENSE_FILES = LICENSE
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
@ 2021-03-14 16:30 ` Yann E. MORIN
2021-03-20 19:12 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-03-14 16:30 UTC (permalink / raw)
To: buildroot
Pierre-Jean, All,
On 2021-03-14 17:01 +0100, Pierre-Jean Texier spake thusly:
> - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
> (compiled with OpenSSL support) is vulnerable to remote OOB write attack via
> connection request after exhausting memory pool.
> - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
> and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
> attack via connection request after exhausting memory pool.
> - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
> 7.0 is vulnerable to remote OOB write attack via connection request after exhausting
> memory pool.
>
> See https://github.com/cesanta/mongoose/releases/tag/7.2
>
> Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/mongoose/mongoose.hash | 2 +-
> package/mongoose/mongoose.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
> index d9ed76c4ac..809f160cf0 100644
> --- a/package/mongoose/mongoose.hash
> +++ b/package/mongoose/mongoose.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b mongoose-7.1.tar.gz
> +sha256 8c5024a4e5b5a0c7fdae3c24ebc68e2b3ccfaba08cf25c2e76fc7f14f92fd4a5 mongoose-7.2.tar.gz
> sha256 9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05 LICENSE
> diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
> index 0974c76446..2c5df1d0cc 100644
> --- a/package/mongoose/mongoose.mk
> +++ b/package/mongoose/mongoose.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -MONGOOSE_VERSION = 7.1
> +MONGOOSE_VERSION = 7.2
> MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
> MONGOOSE_LICENSE = GPL-2.0
> MONGOOSE_LICENSE_FILES = LICENSE
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/mongoose: security bump to version 7.2
2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
2021-03-14 16:30 ` Yann E. MORIN
@ 2021-03-20 19:12 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-20 19:12 UTC (permalink / raw)
To: buildroot
>>>>> "Pierre-Jean" == Pierre-Jean Texier <texier.pj2@gmail.com> writes:
> - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
> (compiled with OpenSSL support) is vulnerable to remote OOB write attack via
> connection request after exhausting memory pool.
> - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
> and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
> attack via connection request after exhausting memory pool.
> - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
> 7.0 is vulnerable to remote OOB write attack via connection request after exhausting
> memory pool.
> See https://github.com/cesanta/mongoose/releases/tag/7.2
Committed to 2021.02.x, thanks.
2020.02.x / 2020.11.x uses 6.x, but without mbedtls, so they are not
affected.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-20 19:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-14 16:01 [Buildroot] [PATCH] package/mongoose: security bump to version 7.2 Pierre-Jean Texier
2021-03-14 16:30 ` Yann E. MORIN
2021-03-20 19:12 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.