Changelog
mosquitto (2.0.11-1+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload.
* Several security vulnerabilities have been discovered in mosquitto, a MQTT
compatible message broker, which may be abused for a denial of service
attack.
* CVE-2021-34434:
In Eclipse Mosquitto when using the dynamic security plugin, if the ability
for a client to make subscriptions on a topic is revoked when a durable
client is offline, then existing subscriptions for that client are not
revoked.
* CVE-2021-41039:
An MQTT v5 client connecting with a large number of user-property
properties could cause excessive CPU usage, leading to a loss of
performance and possible denial of service.
* CVE-2023-0809:
Fix excessive memory being allocated based on malicious initial packets
that are not CONNECT packets.
* CVE-2023-3592:
Fix memory leak when clients send v5 CONNECT packets with a will message
that contains invalid property types.
* Fix CVE-2023-28366:
The broker in Eclipse Mosquitto has a memory leak that can be abused
remotely when a client sends many QoS 2 messages with duplicate message
IDs, and fails to respond to PUBREC commands. This occurs because of
mishandling of EAGAIN from the libc send function.
-- Markus Koschany <email address hidden> Sat, 30 Sep 2023 16:50:16 +0200
