Fedora 28 : mosquitto (2018-9a6af7815a)

2019-01-0300:00:00

www.tenable.com

JSON

Release 1.5.3

Security :

Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and Mosquitto will exit.

Broker :

Elevate log level to warning for situation when socket limit is hit.
Remove requirement to use user root in snap package config files.
Fix retained messages not sent by bridges on outgoing topics at the first connection.
Documentation fixes.
Fix duplicate clients being added to by_id hash before the old client was removed.
Fix Windows version not starting if include_dir did not contain any files.

Build :

Various fixes to ease building.

Use WITH_BUNDLED_DEPS=no

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2018-9a6af7815a.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(120649);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2018-12543");
  script_xref(name:"FEDORA", value:"2018-9a6af7815a");

  script_name(english:"Fedora 28 : mosquitto (2018-9a6af7815a)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Release 1.5.3

Security :

  - Fix CVE-2018-12543. If a message is sent to Mosquitto
    with a topic that begins with $, but is not $SYS, then
    an assert that should be unreachable is triggered and
    Mosquitto will exit.

Broker :

  - Elevate log level to warning for situation when socket
    limit is hit.

  - Remove requirement to use `user root` in snap package
    config files.

  - Fix retained messages not sent by bridges on outgoing
    topics at the first connection.

  - Documentation fixes.

  - Fix duplicate clients being added to by_id hash before
    the old client was removed.

  - Fix Windows version not starting if include_dir did not
    contain any files.

Build :

  - Various fixes to ease building.

----

Use WITH_BUNDLED_DEPS=no

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-9a6af7815a"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected mosquitto package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mosquitto");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC28", reference:"mosquitto-1.5.3-1.fc28")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mosquitto");
}

VendorProductVersionCPE
fedoraprojectfedoramosquittop-cpe:/a:fedoraproject:fedora:mosquitto
fedoraprojectfedora28cpe:/o:fedoraproject:fedora:28

Vendor	Product	Version	CPE
fedoraproject	fedora	mosquitto	p-cpe:/a:fedoraproject:fedora:mosquitto
fedoraproject	fedora	28	cpe:/o:fedoraproject:fedora:28

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543

bodhi.fedoraproject.org/updates/FEDORA-2018-9a6af7815a

JSON

Related for FEDORA_2018-9A6AF7815A.NASL