Debian 11 DSA-5511-1 Moderate DoS: Mosquitto Security Fixes
debian
October 1, 2023
Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack
Topics Covered
Summary
Several security vulnerabilities have been discovered in mosquitto, a MQTT
compatible message broker, which may be abused for a denial of service attack.
CVE-2021-34434
In Eclipse Mosquitto when using the dynamic security plugin, if the ability
for a client to make subscriptions on a topic is revoked when a durable
client is offline, then existing subscriptions for that client are not
revoked.
CVE-2023-0809
Fix excessive memory being allocated based on malicious initial packets
that are not CONNECT packets.
CVE-2023-3592
Fix memory leak when clients send v5 CONNECT packets with a will message
that contains invalid property types.
CVE-2023-28366
The broker in Eclipse Mosquitto has a memory leak that can be abused
remotely when a client sends many QoS 2 messages with duplicate message
IDs, and fails to respond to PUBREC commands. This occurs because of
mishandling of EAGAIN from the libc send function.
Additionally CVE-2021-41039 has been fixed for Debian...
PREVIOUS
NEXT
Package: mosquitto
CVE ID: CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!