Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
89
security advisoryupdateFedoraFedora 39: FEDORA-2023-9adc4be8b0 Minor: Mosquitto Memory Leak Fix
2.0.17 Broker: * Fix `max_queued_messages 0` stopping clients from receiving messages * Fix `max_inflight_messages` not being set correctly. Apps: * Fix `mosquitto_passwd -U` backup file creation. 2.0.16 Security: * CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-9adc4be8b0 2023-09-15 18:36:13.238037 -------------------------------------------------------------------------------- Name : mosquitto Product : Fedora 39 Version : 2.0.17 Release : 1.fc39 URL : https://mosquitto.org/ Summary : Open Source MQTT v5/v3.1.x Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. -------------------------------------------------------------------------------- Update Information: 2.0.17 Broker: * Fix `max_queued_messages 0` stopping clients from receiving messages * Fix `max_inflight_messages` not being set correctly. Apps: * Fix `mosquitto_passwd -U` backup file creation. 2.0.16 Security: * CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands. * CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. * Broker will now reject Will messages that attempt to publish to $CONTROL/. * Broker nowvalidates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8. * Fix potential crash when loading invalid persistence file. * Library will no longer allow single level wildcard certificates, e.g. *.com Broker: * Fix $SYS messages being expired after 60 seconds and hence unchanged values disappearing. * Fix some retained topic memory not being cleared immediately after used. * Fix error handling related to the `bind_interface` option. * Fix std* files not being redirected when daemonising, when built with assertions removed. * Fix default settings incorrectly allowing TLS v1.1. * Use line buffered mode for stdout. Closes #2354. * Fix bridges with non-matching cleansession/local_cleansession being expired on start after restoring from persistence. * Fix connections being limited to 2048 on Windows. The limit is now 8192, where supported. * Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files. * mosquitto_memcmp_const is now more constant time. * Only register with DLT if DLT logging is enabled. * Fix any possible case where a json string might be incorrectly loaded. This could have caused a crash if a textname or textdescription field of a role was not a string, when loading the dynsec config from file only. * Dynsec plugin will not allow duplicate clients/groups/roles when loading config from file, which matches the behaviour for when creating them. * Fix heap overflow when reading corrupt config with "log_dest file". Client library: * Use CLOCK_BOOTTIME when available, to keep track of time. This solves the problem of the client OS sleeping and the client hence not being able to calculate the actual time for keepalive purposes. * Fix default settings incorrectly allowing TLS v1.1. * Fix high CPU use on slow TLS connect. Clients: * Fix incorrect topic-alias property value in mosquitto_sub jsonoutput. * Fix confusing message on TLS certificate verification. Apps: * mosquitto_passwd uses mkstemp() for backup files. * `mosquitto_ctrl dynsec init` will refuse to overwrite an existing file, without a race-condition. -------------------------------------------------------------------------------- ChangeLog: * Wed Aug 23 2023 Peter Robinson - 2.0.17-1 - Update to 2.0.17 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-9adc4be8b0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Sep 15, 2023
Fedora
89
security advisoryupdateFedoraFedora 35: High Risk Apache HTTP Server Denial of Service Vulnerability
2.0.11 Security If an authenticated client connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur. Affects versions 1.6 to 2.0.10 inclusive. Broker Fix possible crash having just upgraded from 1.6 if per_listener_settings true is set, and a SIGHUP is sent to the broker before a client has reconnected to the broker. Fix bridge not. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-1382b4c7f5 2021-06-19 01:08:02.703438 --------------------------------------------------------------------------------Name : mosquitto Product : Fedora 34 Version : 2.0.11 Release : 1.fc34 URL : https://mosquitto.org/ Summary : Open Source MQTT v5/v3.1.x Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. --------------------------------------------------------------------------------Update Information: 2.0.11 Security If an authenticated client connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur. Affects versions 1.6 to 2.0.10 inclusive. Broker Fix possible crash having just upgraded from 1.6 if per_listener_settings true is set, and a SIGHUP is sent to the broker before a client has reconnected to the broker. Fix bridge not reconnectng if the first reconnection attempt fails. Improve QoS 0 outgoing packet queueing. Fix non-reachable bridge blocking the broker on Windows. Fix possible corruption of pollfd array on Windows when bridges were reconnecting. Fix QoS 0 messages not being queued when queue_qos0_messages was enabled. Clients If sending mosquitto_sub output to a pipe, mosquitto_sub will now detect that the pipe has closed and disconnect. Fix mosquitto_pub -l quitting if a message publication is attempted when the broker is temporarily unavailable. --------------------------------------------------------------------------------ChangeLog: * Thu Jun 10 2021 Peter Robinson - 2.0.11-1 - Update to 2.0.11 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-1382b4c7f5' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jun 18, 2021
•Important
Fedora
197
security advisorycritical issuesecurity issueDebian 9 LTS: DLA-2582-1 Critical: Mqtt-Client Memory Issue
A vulnerability was discovered in mqtt-client wher unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2582-1
Mar 05, 2021
•Critical
Debian LTS
98
security advisoryred hatimportantRed Hat A-MQ Broker 7.5 Important Security Advisory RHSA-2019-2995-01
Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat A-MQ Broker 7.5 release and security update Advisory ID: RHSA-2019:2995-01 Product: Red Hat JBoss AMQ Advisory URL: https://access.redhat.com/errata/RHSA-2019:2995 Issue date: 2019-10-10 Keywords: amq,messaging,integration,broker Cross references: RHEA-2019:45713-01 CVE Names: CVE-2014-0114 ==================================================================== 1. Summary: Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * Apache Struts 1: Class Loader manipulation via request parameters(CVE-2014-0114) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying theupdate, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): ENTMQBR-2849 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0] 6. References: https://access.redhat.com/security/cve/CVE-2014-0114 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0 https://docs.redhat.com/en/documentation/red_hat_amq/7.5 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXZ7b4tzjgjWX9erEAQhy1BAAlZY3SIVWWf78mbhIhS4x+DCzq6s6W+B7 gh7bSOfLCqLNVyuqI99PH920CgZwtrN01VVt2by822MdIKKKHtbjFTzstm1ucLso QlYBLkmPzkC0xGPP4q67EDhr5KctJ4wlkerTnBhfwJxvFBLZnWzgGvmawbf3X7iQ qWwigzfVjiUwen7pv5Bol4WkzhTbvUxPEVDS696ziJI0zPyqnnDXpl+9lnXcYL0m GLsD59I984+gLxpl9fzgOPZxm2U1gGusO5rM9vUPmGX06XJo1nsUKUuhRfLoNwQm YcK6yVFE+TAOAKbmM2o62hnA/+UemV/bBQJh3ymVgjcHSz8UYae4vfmiPfiyBsVv STakDzO5yz+htMLJWVAnHjLEgbcGgzrH7jqXLzNO47bZR0oVVP6RjZnsZCdhxeT7 mPZtwWSVHFl8GRriGvEKQjC27Majwva5Hnwh82IPr5lgbLpWmvQSBzDHIObdyPts UYk+zBhZHNXzdQrnEA2BzhsXehZiMigKefutBPPEc+iXjFsLSTmGYceECyhUP/No RuQTYanb0GdgPDpgCOoDIgPtY3VyMiCur8BkQKGIyJt4aXdSaBoqAXt4KypAFExG lRVXHA8RRVcnqsxcpCA+VesIbPuTzmCSsgkQckv/TGLFgdAMLOA4J38bUCjulvMm 9D+Pu+r8KbU=kdcn -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Oct 10, 2019
•Important
Red Hat
89
security advisoryupdateFedoraFedora 23: libsbw Security Update FEDORA-2015-3a59e6cf5c for Broker Issues
libsbw-2.11.1-9.20150414svn579.fc22 - Rebuild for cmake 3.4.0 libsbw-2.11.1-9.20150414svn579.fc23 - Rebuild for cmake 3.4.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-3a59e6cf5c 2015-11-01 01:51:21.165640 -------------------------------------------------------------------------------- Name : libsbw Product : Fedora 23 Version : 2.11.1 Release : 9.20150414svn579.fc23 URL : https://sourceforge.net/projects/sbw/ Summary : C++ Broker library Description : The Systems Biology Workbench (SBW) is a framework for application intercommunications. It uses a broker-based, distributed, message-passing architecture, supports many languages including Java, C++, Perl & Python, and runs under Linux,OSX & Win32. By default, the Broker opens a port for inter-Broker communications by searching for the first free port in the range 10102 through 10202, inclusive. By default, in Fedora this port range is not opened. See man-page for further informations. libSBW is the C++ Broker port from the original SBW Broker (written in Java) to C++. The current version implements all the functionality for the local side. Meaning if you will just use the Broker on a single machine you should be fine using the C++ Broker. -------------------------------------------------------------------------------- Update Information: libsbw-2.11.1-9.20150414svn579.fc22 - Rebuild for cmake 3.4.0 libsbw-2.11.1-9.20150414svn579.fc23 - Rebuild for cmake 3.4.0 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update libsbw' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Nov 01, 2015
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!