[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted mosquitto 2.0.11-1.2+deb12u1 (source) into proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 30 Sep 2023 20:41:18 CEST
Source: mosquitto
Architecture: source
Version: 2.0.11-1.2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 86b8753ce7aa0f3c008f03f8979f587b815260f9 2640 mosquitto_2.0.11-1.2+deb12u1.dsc
 84e055b8f0e69bb6b3f368b18915189eb87b8a23 760325 mosquitto_2.0.11.orig.tar.gz
 e9dab4f53ae14277a822f386c5eaf3de2654ac1d 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
 3dbe70f665c63bae15037daa8ca755fd53eec065 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo
Checksums-Sha256:
 17afb7c6a0f8f25b655fdef3d43eaa83a062b2c9c5398ee18c1dbea94fa917de 2640 mosquitto_2.0.11-1.2+deb12u1.dsc
 7b36a7198bce85cf31b132f5c6ee36dcf5dadf86fb768501eb1e11ce95d4f78a 760325 mosquitto_2.0.11.orig.tar.gz
 3297e3cb5150b34991add3b569d8186f3c0aaf26f4867a0d27d2c89f059b9f7c 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
 dadf3a2c40396e09abd1a7de445ffb5382307f80a8155f6eca9c161c966623b2 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo
Changes:
 mosquitto (2.0.11-1.2+deb12u1) bookworm-security; urgency=high
 .
   * Non-maintainer upload.
   * Several security vulnerabilities have been discovered in mosquitto, a MQTT
     compatible message broker, which may be abused for a denial of service
     attack.
   * CVE-2021-34434:
     In Eclipse Mosquitto when using the dynamic security plugin, if the ability
     for a client to make subscriptions on a topic is revoked when a durable
     client is offline, then existing subscriptions for that client are not
     revoked.
   * CVE-2021-41039:
     An MQTT v5 client connecting with a large number of user-property
     properties could cause excessive CPU usage, leading to a loss of
     performance and possible denial of service.
   * CVE-2023-0809:
     Fix excessive memory being allocated based on malicious initial packets
     that are not CONNECT packets.
   * CVE-2023-3592:
     Fix memory leak when clients send v5 CONNECT packets with a will message
     that contains invalid property types.
   * Fix CVE-2023-28366:
     The broker in Eclipse Mosquitto has a memory leak that can be abused
     remotely when a client sends many QoS 2 messages with duplicate message
     IDs, and fails to respond to PUBREC commands. This occurs because of
     mishandling of EAGAIN from the libc send function.
Files:
 02829924286f60a561d5577b5c1b0089 2640 net optional mosquitto_2.0.11-1.2+deb12u1.dsc
 638d801e6aac611b41de76d030951612 760325 net optional mosquitto_2.0.11.orig.tar.gz
 a51373bffc704924b9bf7ab3b5bd7fb0 33520 net optional mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
 ef11d46225459f37e6db6f046af1499a 10994 net optional mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYbOdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkic8QAM3lmsiDmlq6JeuPfGn5HQz5f262KMgWYyj6
L0oayd/llRRZp4N5c+qliCbWDVTUUPZj8bg6opV62TAFsDPj/5dcm5s+EfTShF3N
EDxckAkveNPq75DJZsmblzhkL5ZhX+ZkUNXGgovlbA/ECrS1qPxp8WZcmIIlQ18f
+rTtFuFN/3hvOC56hNSAYQAeCbhcAri+sgnlKsWF9gB7b2vNnpubFiOJhMRad7Us
NuUCy++crRGWWDBpEtmIftGtXdtSs/8yChn70mOVKqwi/1WI9eFvsUYTcyT/VaXM
4X8AIUqW/hlTxbnK+J48WiP8HZ/0BUqBdWuC1pU/M6+Wnm8IaU0+qm/josOctvjf
G9HEYSY/+Oe+PjdDKYXaRppcZhmbeAbCAzO+2ycX1VJ2f8pa+FCui3MmsGPfYrew
BOTGj0930W38PdF+KF3Gv+WMo7JN1ACsWvv8UNsQw63uFDl1uCs/isnEvDWhCvy2
/HmIl/XURHn7ql7AbPuJYCJk/HcWVWrMfvvolu+Amlw5FVXS+JNv58NHFKBmol3s
eITJz380MThAsNx9orl2Hf8lvch1vkcrPAP0egeRYvK0As4AaOH6k0yzGH87pTD+
kRiKZX04ivg19Z82mfWJzU9JvOnCxvtONe/uL4uOQMX2aBxkNO9olZRdfPCedpzd
sCEAHSQQ
=USon
-----END PGP SIGNATURE-----


Reply to: