Accepted mosquitto 2.0.11-1.2+deb12u1 (source) into proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted mosquitto 2.0.11-1.2+deb12u1 (source) into proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 07 Oct 2023 17:49:20 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: mosquitto_2.0.11-1.2+deb12u1_source.changes
- Debian-source: mosquitto
- Debian-suite: proposed-updates
- Debian-version: 2.0.11-1.2+deb12u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=CWxCadWgmS4FGDXwlCVvQdIFagaw7r0YkcsqkWtchJU=; b=JG16wJhC0wnHdoPFqEUHahzI4x DqkfrMUh2cWyIa6l76FOHPwYJtekMh6ENU8U9AsZnnEAr1jeueW8OBZi8J1nv0Ny4//BAbhvNMHHA FMkONiVqKELEWtjQQAAM4SqG7cBIj2vKHaMMXuK6l/vvfW01HDuRxohds+zoImdAuIcjX5rua1s7B ++pPURvrcWgtDQ1YX0NNbnCAOj8MqVmoHrPNXAgpdHnzTFCPsDwcq1pQwJbWOfaxZkQnQnJW7ncYq IgwJa27B1aaZxt+FNfgmN/1aIytQrMAs6hPA0MNQjHu76VT3d9H7qsd8j+zfPkcMVm5rxfxmmiUQn rADCUM7w==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1qpBQW-00CnPV-PL@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Sep 2023 20:41:18 CEST
Source: mosquitto
Architecture: source
Version: 2.0.11-1.2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
86b8753ce7aa0f3c008f03f8979f587b815260f9 2640 mosquitto_2.0.11-1.2+deb12u1.dsc
84e055b8f0e69bb6b3f368b18915189eb87b8a23 760325 mosquitto_2.0.11.orig.tar.gz
e9dab4f53ae14277a822f386c5eaf3de2654ac1d 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
3dbe70f665c63bae15037daa8ca755fd53eec065 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo
Checksums-Sha256:
17afb7c6a0f8f25b655fdef3d43eaa83a062b2c9c5398ee18c1dbea94fa917de 2640 mosquitto_2.0.11-1.2+deb12u1.dsc
7b36a7198bce85cf31b132f5c6ee36dcf5dadf86fb768501eb1e11ce95d4f78a 760325 mosquitto_2.0.11.orig.tar.gz
3297e3cb5150b34991add3b569d8186f3c0aaf26f4867a0d27d2c89f059b9f7c 33520 mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
dadf3a2c40396e09abd1a7de445ffb5382307f80a8155f6eca9c161c966623b2 10994 mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo
Changes:
mosquitto (2.0.11-1.2+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload.
* Several security vulnerabilities have been discovered in mosquitto, a MQTT
compatible message broker, which may be abused for a denial of service
attack.
* CVE-2021-34434:
In Eclipse Mosquitto when using the dynamic security plugin, if the ability
for a client to make subscriptions on a topic is revoked when a durable
client is offline, then existing subscriptions for that client are not
revoked.
* CVE-2021-41039:
An MQTT v5 client connecting with a large number of user-property
properties could cause excessive CPU usage, leading to a loss of
performance and possible denial of service.
* CVE-2023-0809:
Fix excessive memory being allocated based on malicious initial packets
that are not CONNECT packets.
* CVE-2023-3592:
Fix memory leak when clients send v5 CONNECT packets with a will message
that contains invalid property types.
* Fix CVE-2023-28366:
The broker in Eclipse Mosquitto has a memory leak that can be abused
remotely when a client sends many QoS 2 messages with duplicate message
IDs, and fails to respond to PUBREC commands. This occurs because of
mishandling of EAGAIN from the libc send function.
Files:
02829924286f60a561d5577b5c1b0089 2640 net optional mosquitto_2.0.11-1.2+deb12u1.dsc
638d801e6aac611b41de76d030951612 760325 net optional mosquitto_2.0.11.orig.tar.gz
a51373bffc704924b9bf7ab3b5bd7fb0 33520 net optional mosquitto_2.0.11-1.2+deb12u1.debian.tar.xz
ef11d46225459f37e6db6f046af1499a 10994 net optional mosquitto_2.0.11-1.2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYbOdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkic8QAM3lmsiDmlq6JeuPfGn5HQz5f262KMgWYyj6
L0oayd/llRRZp4N5c+qliCbWDVTUUPZj8bg6opV62TAFsDPj/5dcm5s+EfTShF3N
EDxckAkveNPq75DJZsmblzhkL5ZhX+ZkUNXGgovlbA/ECrS1qPxp8WZcmIIlQ18f
+rTtFuFN/3hvOC56hNSAYQAeCbhcAri+sgnlKsWF9gB7b2vNnpubFiOJhMRad7Us
NuUCy++crRGWWDBpEtmIftGtXdtSs/8yChn70mOVKqwi/1WI9eFvsUYTcyT/VaXM
4X8AIUqW/hlTxbnK+J48WiP8HZ/0BUqBdWuC1pU/M6+Wnm8IaU0+qm/josOctvjf
G9HEYSY/+Oe+PjdDKYXaRppcZhmbeAbCAzO+2ycX1VJ2f8pa+FCui3MmsGPfYrew
BOTGj0930W38PdF+KF3Gv+WMo7JN1ACsWvv8UNsQw63uFDl1uCs/isnEvDWhCvy2
/HmIl/XURHn7ql7AbPuJYCJk/HcWVWrMfvvolu+Amlw5FVXS+JNv58NHFKBmol3s
eITJz380MThAsNx9orl2Hf8lvch1vkcrPAP0egeRYvK0As4AaOH6k0yzGH87pTD+
kRiKZX04ivg19Z82mfWJzU9JvOnCxvtONe/uL4uOQMX2aBxkNO9olZRdfPCedpzd
sCEAHSQQ
=USon
-----END PGP SIGNATURE-----