Update CVE information.

eclipse · Apr 10, 2021 · d5ecd9f · d5ecd9f
1 parent 3452291
commit d5ecd9f
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -2,10 +2,9 @@
 ==================
 
 Security:
-- CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
+- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a
  malformed CONNACK message to the broker a NULL pointer dereference occurred,
- most likely resulting in a segfault. This will be updated with the CVE
- number when it is assigned.
+ most likely resulting in a segfault.
  Affects versions 2.0.0 to 2.0.9 inclusive.
 
 Broker:

diff --git a/www/pages/security.md b/www/pages/security.md
@@ -19,7 +19,7 @@ follow the steps on [Eclipse Security] page to report it.
 Listed with most recent first. Further information on security related issues
 can be found in the [security category].
 
-* April 2021: CVE-xxxx-xxxx Affecting versions **2.0.0** to **2.0.9**
+* April 2021: [CVE-2021-28166] Affecting versions **2.0.0** to **2.0.9**
  inclusive, fixed in **2.0.10**.
 * December 2020: Running mosquitto_passwd with the following arguments only
  `mosquitto_passwd -b password_file username password` would cause the
@@ -69,6 +69,7 @@ can be found in the [security category].
 [Eclipse Security]: https://www.eclipse.org/security/
 [security category]: /blog/categories/security/
 
+[CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
 [CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779
 [CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778
 [CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145

diff --git a/www/posts/2021/04/version-2-0-10-released.md b/www/posts/2021/04/version-2-0-10-released.md
@@ -13,7 +13,7 @@ Versions 2.0.10 of Mosquitto has been released. This is a security and bugfix
 release.
 
 # Security
-- CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
+- [CVE-2021-23980]: If an authenticated client connected with MQTT v5 sent a
  malformed CONNACK message to the broker a NULL pointer dereference occurred,
  most likely resulting in a segfault. This will be updated with the CVE
  number when it is assigned.
@@ -41,6 +41,7 @@ release.
 - Fix CMake cross compile builds not finding opensslconf.h. Closes [#2160].
 - Fix build on Solaris non-sparc. Closes [#2136].
 
+[CVE-2021-23980]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
 [#2134]: https://github.com/eclipse/mosquitto/issues/2134
 [#2136]: https://github.com/eclipse/mosquitto/issues/2136
 [#2152]: https://github.com/eclipse/mosquitto/issues/2152