This update for mosquitto fixes the following issues:
Changes in mosquitto:
- update to 2.0.23 (boo#1258671)
* Fix handling of disconnected sessions for `per_listener_settings
true`
* Check return values of openssl *_get_ex_data() and
*_set_ex_data() to prevent possible crash. This could occur only
in extremely unlikely situations
* Check return value of openssl ASN1_string_[get0_]data()
functions for NULL. This prevents a crash in case of incorrect
certificate handling in openssl
* Fix potential crash on startup if a malicious/corrupt
persistence file from mosquitto 1.5 or earlier is loaded
* Limit auto_id_prefix to 50 characters
- Update to version 2.0.22
Broker
* Bridge: Fix idle_timeout never occurring for lazy bridges.
* Fix case where max_queued_messages = 0 was not treated as
unlimited.
* Fix --version exit code and output.
* Fix crash on receiving a $CONTROL message over a bridge, if
per_listener_settings is set true and...
Read the Full Advisory- openSUSE Leap 16.0:
libmosquitto1-2.0.23-bp160.1.1
libmosquittopp1-2.0.23-bp160.1.1
mosquitto-2.0.23-bp160.1.1
mosquitto-clients-2.0.23-bp160.1.1
mosquitto-devel-2.0.23-bp160.1.1
* bsc#1232635
* bsc#1232636
* bsc#1258671
References:
* https://www.suse.com/security/cve/CVE-2024-10525.html
* https://www.suse.com/security/cve/CVE-2024-3935.html
Get the latest Linux and open source security news straight to your inbox.