• [SECURITY] [DSA 5511-1] mosquitto security update

    From Markus Koschany@21:1/5 to All on Sun Oct 1 22:00:01 2023
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5511-1 security@debian.org https://www.debian.org/security/ Markus Koschany October 01, 2023 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : mosquitto
    CVE ID : CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366
    Debian Bug : 993400 1001028

    Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.


    In Eclipse Mosquitto when using the dynamic security plugin, if the ability
    for a client to make subscriptions on a topic is revoked when a durable
    client is offline, then existing subscriptions for that client are not


    Fix excessive memory being allocated based on malicious initial packets
    that are not CONNECT packets.


    Fix memory leak when clients send v5 CONNECT packets with a will message
    that contains invalid property types.


    The broker in Eclipse Mosquitto has a memory leak that can be abused
    remotely when a client sends many QoS 2 messages with duplicate message
    IDs, and fails to respond to PUBREC commands. This occurs because of
    mishandling of EAGAIN from the libc send function.

    Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye".


    An MQTT v5 client connecting with a large number of user-property
    properties could cause excessive CPU usage, leading to a loss of
    performance and possible denial of service.

    For the oldstable distribution (bullseye), these problems have been fixed
    in version 2.0.11-1+deb11u1.

    For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.

    We recommend that you upgrade your mosquitto packages.

    For the detailed security status of mosquitto please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUZx+xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTgyhAAwGXTLpeJ0n2FCmZdkhOJCz8qgD4nesLMKGnNH4bq0RWgunDe7CSagvMo YG83i4+S0xuH0BLL+5Ytu5Y4MTU9cMJXLaOYL0ivomtjQKilS4aoJQ9ps4bfZPff ChsFYi2IUB3VZlNaS8yLIh9Rm8630P51Te9jXTktMwvj8SDalt+HRchR2V5sAsK0 G8fwSgAP4eIUb3xRWJNrHUXSRgiJpHIeWW8WIo9c0V7Tks/rIoYgXNQiQow1Hde5 B6k8yHk2xwoXOMoTenY9xrrdY9HZuUqVe9qayl+AMREYmcNPmZvZDpMjUSxdOMdp JP/YD6nKp92DNlZG82k/45nWFLogAPQUC2SupaUrPQRJ99xDzlby4KkGt95rKMXE 4tuc0sqR4EM2v9zhp9jmkIAVzQyBf3vVZNu5yyug0+7/jT/fwh/wFW3B3TTFYH4m lD3+9i1NPKt3hdBfZKryWDqmYV+86vvGLVPj5AzNF/JEj9wuFC5DzU44M09Qk2rO J0FWk0nKg6SznG5zY8k+L+tcpMYg+RoD/kJXZP+OuvSLUcnYw2NWYcW3sDccO/zI cVvIWDmnjei4D3VMkATnkHe7HCqO+bX4nvvytgPxj1WhZ17MIGqs7qRJbCEblDRd GZAIo0EWhmsZsEwRaXr7II/0qxOJ2EeXiFsbyYzWQCVOknmnzOI=
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)