Debian Security Advisory
DSA-5511-1 mosquitto -- security update
- Date Reported:
- 01 Oct 2023
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 993400, Bug 1001028.
In Mitre's CVE dictionary: CVE-2021-34434, CVE-2023-0809, CVE-2023-3592, CVE-2023-28366, CVE-2021-41039.
- More information:
Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
Additionally CVE-2021-41039 has been fixed for Debian 11
For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1.
For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.
We recommend that you upgrade your mosquitto packages.
For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto