Debian Security Advisory

DSA-5511-1 mosquitto -- security update

Date Reported:
01 Oct 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 993400, Bug 1001028.
In Mitre's CVE dictionary: CVE-2021-34434, CVE-2023-0809, CVE-2023-3592, CVE-2023-28366, CVE-2021-41039.
More information:

Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.

  • CVE-2021-34434

    In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.

  • CVE-2023-0809

    Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.

  • CVE-2023-3592

    Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.

  • CVE-2023-28366

    The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

  • Additionally CVE-2021-41039 has been fixed for Debian 11 Bullseye.

  • CVE-2021-41039

    An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to its security tracker page at: