Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

openSUSE Leap 16.0 Mosquitto Essential Security Flaws RHSA-2026-20260-2

opensuse
Calendar Grey February 24, 2026
Dist Opensuse Esm H88
Update critical security issues in openSUSE Leap 16.0's Mosquitto to prevent crashes and improve functionality.
An update that solves 2 vulnerabilities and has 3 bug fixes can now be installed.

Description

This update for mosquitto fixes the following issues:

Changes in mosquitto:

- update to 2.0.23 (boo#1258671)

* Fix handling of disconnected sessions for `per_listener_settings

true`

* Check return values of openssl *_get_ex_data() and

*_set_ex_data() to prevent possible crash. This could occur only

in extremely unlikely situations

* Check return value of openssl ASN1_string_[get0_]data()

functions for NULL. This prevents a crash in case of incorrect

certificate handling in openssl

* Fix potential crash on startup if a malicious/corrupt

persistence file from mosquitto 1.5 or earlier is loaded

* Limit auto_id_prefix to 50 characters

- Update to version 2.0.22

Broker

* Bridge: Fix idle_timeout never occurring for lazy bridges.

* Fix case where max_queued_messages = 0 was not treated as

unlimited.

* Fix --version exit code and output.

* Fix crash on receiving a $CONTROL message over a bridge, if

per_listener_settings is set true and...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

libmosquitto1-2.0.23-bp160.1.1

libmosquittopp1-2.0.23-bp160.1.1

mosquitto-2.0.23-bp160.1.1

mosquitto-clients-2.0.23-bp160.1.1

mosquitto-devel-2.0.23-bp160.1.1

References

* bsc#1232635

* bsc#1232636

* bsc#1258671

References:

* https://www.suse.com/security/cve/CVE-2024-10525.html

* https://www.suse.com/security/cve/CVE-2024-3935.html

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:20260-1
Rating: critical
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here