diff mbox series

[2/3] package/mongoose: security bump to version 7.1

Message ID 20210216080756.1635858-2-fontaine.fabrice@gmail.com
State Accepted
Headers show
Series [1/3] package/mongoose: fix activation of openssl/mbedtls | expand

Commit Message

Fabrice Fontaine Feb. 16, 2021, 8:07 a.m. UTC 
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
  Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
  to remote OOB write attack via connection request after exhausting
  memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
  write attack via connection request after exhausting memory pool.

https://github.com/cesanta/mongoose/releases/tag/7.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.hash | 2 +-
 package/mongoose/mongoose.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Korsgaard Feb. 16, 2021, 7:40 p.m. UTC | #1 
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
 >   Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
 >   connection request after exhausting memory pool.
 > - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
 >   server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
 >   to remote OOB write attack via connection request after exhausting
 >   memory pool.
 > - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
 >   server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
 >   write attack via connection request after exhausting memory pool.

 > https://github.com/cesanta/mongoose/releases/tag/7.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.
diff mbox series

Patch

diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index 149c0f5866..d9ed76c4ac 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,3 +1,3 @@ 
 # Locally computed:
-sha256  28206185873b5c448765f56e54d86a7af5a856b0b5f241aa44ac94bf34af7eee  mongoose-7.0.tar.gz
+sha256  f099bf7223c527e1a0b7fc8888136a3992e8b5c7123839639213b9483bb4f95b  mongoose-7.1.tar.gz
 sha256  9553d057f2ba980642f2c18d87ed38896cff1c9612d77d684a73a11fe1443b05  LICENSE
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 996cbff757..5c331cf48e 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-MONGOOSE_VERSION = 7.0
+MONGOOSE_VERSION = 7.1
 MONGOOSE_SITE = $(call github,cesanta,mongoose,$(MONGOOSE_VERSION))
 MONGOOSE_LICENSE = GPL-2.0
 MONGOOSE_LICENSE_FILES = LICENSE