Candidate: CVE-2017-7652
PublicDate: 2018-04-25 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
 http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
Description:
 In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a
 configuration file, then sending a HUP signal to server triggers the
 configuration to be reloaded from disk. If there are lots of clients
 connected so that there are no more file descriptors/sockets available
 (default limit typically 1024 file descriptors on Linux), then opening the
 configuration file will fail.
Ubuntu-Description:
 It was discovered that Mosquitto incorrectly handled file descriptors.
 An attacker could possibly use this issue to cause a denial of service.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH]


Patches_mosquitto:
upstream_mosquitto: released (1.4.15-1)
precise/esm_mosquitto: DNE
trusty_mosquitto: released (0.15-2+deb7u3ubuntu0.1)
trusty/esm_mosquitto: released (0.15-2+deb7u3ubuntu0.1)
xenial_mosquitto: released (1.4.8-1ubuntu0.16.04.4)
artful_mosquitto: ignored (reached end-of-life)
bionic_mosquitto: not-affected (1.4.15-1)
devel_mosquitto: not-affected (1.4.15-1)