Publishing details

• Published on 2024-02-10

Changelog

mosquitto (2.0.11-1+deb11u1) bullseye-security; urgency=high

  * Non-maintainer upload.
  * Several security vulnerabilities have been discovered in mosquitto, a MQTT
    compatible message broker, which may be abused for a denial of service
    attack.
  * CVE-2021-34434:
    In Eclipse Mosquitto when using the dynamic security plugin, if the ability
    for a client to make subscriptions on a topic is revoked when a durable
    client is offline, then existing subscriptions for that client are not
    revoked.
  * CVE-2021-41039:
    An MQTT v5 client connecting with a large number of user-property
    properties could cause excessive CPU usage, leading to a loss of
    performance and possible denial of service.
  * CVE-2023-0809:
    Fix excessive memory being allocated based on malicious initial packets
    that are not CONNECT packets.
  * CVE-2023-3592:
    Fix memory leak when clients send v5 CONNECT packets with a will message
    that contains invalid property types.
  * Fix CVE-2023-28366:
    The broker in Eclipse Mosquitto has a memory leak that can be abused
    remotely when a client sends many QoS 2 messages with duplicate message
    IDs, and fails to respond to PUBREC commands. This occurs because of
    mishandling of EAGAIN from the libc send function.

 -- Markus Koschany <email address hidden>  Sat, 30 Sep 2023 16:50:16 +0200

Builds

Package files

• mosquitto_2.0.11-1+deb11u1.debian.tar.xz (31.4 KiB)
• mosquitto_2.0.11-1+deb11u1.dsc (2.6 KiB)
• mosquitto_2.0.11.orig.tar.gz (742.5 KiB)