Debian Security Advisory
DSA-5511-1 mosquitto -- security update
- Date Reported:
- 01 Oct 2023
- Affected Packages:
- mosquitto
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 993400, Bug 1001028.
In Mitre's CVE dictionary: CVE-2021-34434, CVE-2023-0809, CVE-2023-3592, CVE-2023-28366, CVE-2021-41039. - More information:
-
Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
- CVE-2021-34434
In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
- CVE-2023-0809
Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
- CVE-2023-3592
Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
- CVE-2023-28366
The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
- CVE-2021-41039
An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
Additionally CVE-2021-41039 has been fixed for Debian 11
Bullseye
.For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1.
For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.
We recommend that you upgrade your mosquitto packages.
For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto
- CVE-2021-34434