-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Sep 2023 20:57:20 CEST Source: mosquitto Architecture: source Version: 2.0.11-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Roger A. Light <roger@atchoo.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 32d901018a30a4e5c479a415f8314d8b902ec920 2632 mosquitto_2.0.11-1+deb11u1.dsc e39d44425a006c4c7e11a9320e159557d14deefa 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz 2c5d839717a845ce846e6ad12312b2e565c60987 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo Checksums-Sha256: 2f8124229527652ee0e7cfe4afeab444cbc44dd4006e9c5b4a09866aeec86c77 2632 mosquitto_2.0.11-1+deb11u1.dsc ba81896d3a06d7b3736ac4f7265f816be91f4e75481264830c1e78aeebd495a2 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz b2c7c8f9c7a01e6b1dcf036480c88a42abf1740c186fad02f0145ff2d5fb4b20 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo Changes: mosquitto (2.0.11-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload. * Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack. * CVE-2021-34434: In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. * CVE-2021-41039: An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. * CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. * Fix CVE-2023-28366: The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Files: 516d1b6c1b9d72d17196337bc6a0c83d 2632 net optional mosquitto_2.0.11-1+deb11u1.dsc a6bc011197f7cc3aeacc7e683d2d7395 32132 net optional mosquitto_2.0.11-1+deb11u1.debian.tar.xz 77e9e3929ddc933ad7e17e30756d457b 10917 net optional mosquitto_2.0.11-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYhzlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkk3gP/0g04NrM4PZqyI06vQwy0bAnQ+dDCaFOtLzP c1MzAgpbq8HhEQx4EPGdD5sc2KYJvrps7OS8B/rpKCO9m7RRhFFYrTWwWL7SQYwF jaIjDjUNxQ2HfY1AjoFdn62qRwN0oyQF1gg2AhcHdsDspUnT5iBC6oKl7eiuTOPC AX4+BBiMbt+G28jdFTnbsRRBclz25VjHxfSk4JnAq58Q4g27TXvi9+h5Zpnjm5mb AItJiKV9VqwCA+sNRfJvrcUFAUxFc3DYOxC7XWcd/nExLJ+GxYiBuX+wwwMINCrB aN5HOK1+TGU7FdjyOknGbK8u3Q2DtByG1Y2656s48909tLhC0Yv5/Rfsc0c6JOip yKnTO3WAImkESGYoAVoVWrZcIh2pxjxu7u+1TABMYcyenZdObY6wVABlFVP3QAM4 5MLvZkfHJx2me4iThOyEZihTVYJwb0RGpWAlp9vCDoQnUEgTAh2jAcfHezGxq+Hw f/BqKE2XfPR/L/rs0d+1M11odKo/+GVODdt5xSuYWJ0r37W11lDPIOI+PBzSFCq/ A7fORJL5jKqL+a7qW13YB5MuXShXG47lTcLQOiZ/ka9hxTyOk5nSfnYn6bpwSwJj 5/6AzAwg6TQVibYJXEwvbPS0pgn8ADz1mvJ02/1FocGkFw6rH+uqyVGAxrsI6/jS 0Jj18s2X =ed+J -----END PGP SIGNATURE-----