Accepted mosquitto 2.0.11-1+deb11u1 (source) into oldstable-proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted mosquitto 2.0.11-1+deb11u1 (source) into oldstable-proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 07 Oct 2023 21:18:37 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: mosquitto_2.0.11-1+deb11u1_source.changes
- Debian-source: mosquitto
- Debian-suite: oldstable-proposed-updates
- Debian-version: 2.0.11-1+deb11u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=sgDhzCkU5xPcuBTtdt7rlNUWLO3a6zG9Jc1WwEuR27Y=; b=KTTMOaFsicSDWP2R3uk4UPe7S+ xtjcexl1o0+oLDaKawrw3SmWUB5ItmoXSc39wE0s+t7xGH7jMFp29h8Vvg7F5hIMIGnHBG6mpJgKZ 7HZmmaS2VyMFVUGZpjuBhWHk27tm1HC4vj83i9RCGqDCCKcYt/hxaG+SnsB8eOlzRN5I7E+kLCbdP keOnv23iXGCd5yjgS8Wb6T6UMcNzYl6ZgLDT/Rdtq5SJbBnvUa1cZg1zl23X1vaTO/faYEdxHt3c7 zr+IK1f1/r/tVzVd5nr7OYnXtQ0myYjcVzy0+/GFPjQBO1+lRg9rvEVPJ28cH4L4szBdTeIX6vMM5 X7mti5YA==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1qpEh3-00DizF-27@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Sep 2023 20:57:20 CEST
Source: mosquitto
Architecture: source
Version: 2.0.11-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
32d901018a30a4e5c479a415f8314d8b902ec920 2632 mosquitto_2.0.11-1+deb11u1.dsc
e39d44425a006c4c7e11a9320e159557d14deefa 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz
2c5d839717a845ce846e6ad12312b2e565c60987 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
2f8124229527652ee0e7cfe4afeab444cbc44dd4006e9c5b4a09866aeec86c77 2632 mosquitto_2.0.11-1+deb11u1.dsc
ba81896d3a06d7b3736ac4f7265f816be91f4e75481264830c1e78aeebd495a2 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz
b2c7c8f9c7a01e6b1dcf036480c88a42abf1740c186fad02f0145ff2d5fb4b20 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo
Changes:
mosquitto (2.0.11-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload.
* Several security vulnerabilities have been discovered in mosquitto, a MQTT
compatible message broker, which may be abused for a denial of service
attack.
* CVE-2021-34434:
In Eclipse Mosquitto when using the dynamic security plugin, if the ability
for a client to make subscriptions on a topic is revoked when a durable
client is offline, then existing subscriptions for that client are not
revoked.
* CVE-2021-41039:
An MQTT v5 client connecting with a large number of user-property
properties could cause excessive CPU usage, leading to a loss of
performance and possible denial of service.
* CVE-2023-0809:
Fix excessive memory being allocated based on malicious initial packets
that are not CONNECT packets.
* CVE-2023-3592:
Fix memory leak when clients send v5 CONNECT packets with a will message
that contains invalid property types.
* Fix CVE-2023-28366:
The broker in Eclipse Mosquitto has a memory leak that can be abused
remotely when a client sends many QoS 2 messages with duplicate message
IDs, and fails to respond to PUBREC commands. This occurs because of
mishandling of EAGAIN from the libc send function.
Files:
516d1b6c1b9d72d17196337bc6a0c83d 2632 net optional mosquitto_2.0.11-1+deb11u1.dsc
a6bc011197f7cc3aeacc7e683d2d7395 32132 net optional mosquitto_2.0.11-1+deb11u1.debian.tar.xz
77e9e3929ddc933ad7e17e30756d457b 10917 net optional mosquitto_2.0.11-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYhzlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkk3gP/0g04NrM4PZqyI06vQwy0bAnQ+dDCaFOtLzP
c1MzAgpbq8HhEQx4EPGdD5sc2KYJvrps7OS8B/rpKCO9m7RRhFFYrTWwWL7SQYwF
jaIjDjUNxQ2HfY1AjoFdn62qRwN0oyQF1gg2AhcHdsDspUnT5iBC6oKl7eiuTOPC
AX4+BBiMbt+G28jdFTnbsRRBclz25VjHxfSk4JnAq58Q4g27TXvi9+h5Zpnjm5mb
AItJiKV9VqwCA+sNRfJvrcUFAUxFc3DYOxC7XWcd/nExLJ+GxYiBuX+wwwMINCrB
aN5HOK1+TGU7FdjyOknGbK8u3Q2DtByG1Y2656s48909tLhC0Yv5/Rfsc0c6JOip
yKnTO3WAImkESGYoAVoVWrZcIh2pxjxu7u+1TABMYcyenZdObY6wVABlFVP3QAM4
5MLvZkfHJx2me4iThOyEZihTVYJwb0RGpWAlp9vCDoQnUEgTAh2jAcfHezGxq+Hw
f/BqKE2XfPR/L/rs0d+1M11odKo/+GVODdt5xSuYWJ0r37W11lDPIOI+PBzSFCq/
A7fORJL5jKqL+a7qW13YB5MuXShXG47lTcLQOiZ/ka9hxTyOk5nSfnYn6bpwSwJj
5/6AzAwg6TQVibYJXEwvbPS0pgn8ADz1mvJ02/1FocGkFw6rH+uqyVGAxrsI6/jS
0Jj18s2X
=ed+J
-----END PGP SIGNATURE-----