-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Sep 2023 20:41:18 CEST Source: mosquitto Architecture: source Version: 2.0.11-1.2+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Roger A. Light <roger@atchoo.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 86b8753ce7aa0f3c008f03f8979f587b815260f9 2640 mosquitto_2.0.11-1.2+deb12u1.dsc 84e055b8f0e69bb6b3f368b18915189eb87b8a23 760325 mosquitto_2.0.11.orig.tar.gz e9dab4f53ae14277a822f386c5eaf3de2654ac1d 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz 3dbe70f665c63bae15037daa8ca755fd53eec065 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo Checksums-Sha256: 17afb7c6a0f8f25b655fdef3d43eaa83a062b2c9c5398ee18c1dbea94fa917de 2640 mosquitto_2.0.11-1.2+deb12u1.dsc 7b36a7198bce85cf31b132f5c6ee36dcf5dadf86fb768501eb1e11ce95d4f78a 760325 mosquitto_2.0.11.orig.tar.gz 3297e3cb5150b34991add3b569d8186f3c0aaf26f4867a0d27d2c89f059b9f7c 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz dadf3a2c40396e09abd1a7de445ffb5382307f80a8155f6eca9c161c966623b2 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo Changes: mosquitto (2.0.11-1.2+deb12u1) bookworm-security; urgency=high . * Non-maintainer upload. * Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack. * CVE-2021-34434: In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. * CVE-2021-41039: An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. * CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. * Fix CVE-2023-28366: The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Files: 02829924286f60a561d5577b5c1b0089 2640 net optional mosquitto_2.0.11-1.2+deb12u1.dsc 638d801e6aac611b41de76d030951612 760325 net optional mosquitto_2.0.11.orig.tar.gz a51373bffc704924b9bf7ab3b5bd7fb0 33520 net optional mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz ef11d46225459f37e6db6f046af1499a 10994 net optional mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYbOdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkic8QAM3lmsiDmlq6JeuPfGn5HQz5f262KMgWYyj6 L0oayd/llRRZp4N5c+qliCbWDVTUUPZj8bg6opV62TAFsDPj/5dcm5s+EfTShF3N EDxckAkveNPq75DJZsmblzhkL5ZhX+ZkUNXGgovlbA/ECrS1qPxp8WZcmIIlQ18f +rTtFuFN/3hvOC56hNSAYQAeCbhcAri+sgnlKsWF9gB7b2vNnpubFiOJhMRad7Us NuUCy++crRGWWDBpEtmIftGtXdtSs/8yChn70mOVKqwi/1WI9eFvsUYTcyT/VaXM 4X8AIUqW/hlTxbnK+J48WiP8HZ/0BUqBdWuC1pU/M6+Wnm8IaU0+qm/josOctvjf G9HEYSY/+Oe+PjdDKYXaRppcZhmbeAbCAzO+2ycX1VJ2f8pa+FCui3MmsGPfYrew BOTGj0930W38PdF+KF3Gv+WMo7JN1ACsWvv8UNsQw63uFDl1uCs/isnEvDWhCvy2 /HmIl/XURHn7ql7AbPuJYCJk/HcWVWrMfvvolu+Amlw5FVXS+JNv58NHFKBmol3s eITJz380MThAsNx9orl2Hf8lvch1vkcrPAP0egeRYvK0As4AaOH6k0yzGH87pTD+ kRiKZX04ivg19Z82mfWJzU9JvOnCxvtONe/uL4uOQMX2aBxkNO9olZRdfPCedpzd sCEAHSQQ =USon -----END PGP SIGNATURE-----