Update information on CVE-2019-0222 and associate mqtt-client

activemq upstream included the mqtt-client library in the lib/extra
directory but in Debian we use the external src:mqtt-client accordngly.

The history is a bit involving at at first activemq disabled MQTT
support, later on enabled it and depending on the mqtt-client provided
packages.

Associate now the CVE with mqtt-client where the issue got fixed.

Thanks: Abhijith PA for spotting the issue.

1 files changed, 5 insertions, 3 deletions

diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 111a6a7e8f..4e3dabf0c5 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -53016,11 +53016,13 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som
 	NOTE: not present in the jessie version. That part do not seem to be essential for
 	NOTE: the package to be vulnerable.
 CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...)
-	- activemq 5.15.9-1 (bug #925964)
-	[buster] - activemq <no-dsa> (Minor issue)
-	[stretch] - activemq <no-dsa> (Minor issue)
+	- activemq 5.15.9-1 (bug #925964; unimportant)
 	[jessie] - activemq <not-affected> (MQTT support not enabled)
+	- mqtt-client 1.16-1
 	NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
+	NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
+	NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
+	NOTE: https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15)
 CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0  ...)
 	{DSA-4596-1 DLA-1883-1 DLA-1810-1}
 	- tomcat9 9.0.16-4 (bug #929895)