Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
89
security advisoryfedoraupdateFedora 42 FEDORA-2025-f1ea97edd8 critical: mosquitto CVE-2023-28366 update
Update to 2.0.21, further fixes for CVE-2023-28366. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-f1ea97edd8 2025-03-18 00:15:21.924540+00:00 -------------------------------------------------------------------------------- Name : mosquitto Product : Fedora 42 Version : 2.0.21 Release : 1.fc42 URL : https://mosquitto.org/ Summary : Open Source MQTT v5/v3.1.x Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version v5 and 3.1.x. MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. -------------------------------------------------------------------------------- Update Information: Update to 2.0.21, further fixes for CVE-2023-28366 -------------------------------------------------------------------------------- ChangeLog: * Thu Mar 6 2025 Peter Robinson - 2.0.21-1 - Update to 2.0.21 * Thu Feb 13 2025 Fabian Affolter - 2.0.20-5 - Only add openssl-devel-engine for Fedora -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-f1ea97edd8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list
Mar 18, 2025
•Critical
Fedora
197
security advisorymoderateDebianDebian 11: DLA-4059-1 moderate: mosquitto MQTT broker crash
The following vulnerabilities have been discovered in the package mosquitto, MQTT message broker. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4059-1
Feb 20, 2025
Debian LTS
89
security advisorymoderateupdateFedora 35: 2021-dc6df3744a Moderate: Mosquitto 2.0.12 Security Advisory
Update to latest upstream release 2.0.12. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-dc6df3744a 2021-09-24 20:04:10.612007 --------------------------------------------------------------------------------Name : mosquitto Product : Fedora 35 Version : 2.0.12 Release : 1.fc35 URL : https://mosquitto.org/ Summary : Open Source MQTT v5/v3.1.x Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. --------------------------------------------------------------------------------Update Information: Update to latest upstream release 2.0.12 --------------------------------------------------------------------------------ChangeLog: * Wed Aug 25 2021 Fabian Affolter - 2.0.12-1 - Update to latest upstream release 2.0.12 - Fixes CVE-2021-34434 (closes rhbz#1999865) * Wed Aug 25 2021 Fabian Affolter - 2.0.11-3 - Rebuilt --------------------------------------------------------------------------------References: [ 1 ] Bug #1999865 - CVE-2021-34434 mosquitto: Existing subscriptions for that client are not revoked https://bugzilla.redhat.com/show_bug.cgi?id=1999865 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-dc6df3744a' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can befound at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Sep 24, 2021
Fedora
89
security advisorymoderateupdateFedora 34 Mosquitto Update 2.0.12 Moderate: CVE-2021-34434 Issues
Update to latest upstream release 2.0.12. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-aee8f32946 2021-09-10 16:04:06.977738 --------------------------------------------------------------------------------Name : mosquitto Product : Fedora 34 Version : 2.0.12 Release : 1.fc34 URL : https://mosquitto.org/ Summary : Open Source MQTT v5/v3.1.x Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. --------------------------------------------------------------------------------Update Information: Update to latest upstream release 2.0.12 --------------------------------------------------------------------------------ChangeLog: * Wed Aug 25 2021 Fabian Affolter - 2.0.12-1 - Update to latest upstream release 2.0.12 - Fixes CVE-2021-34434 (closes rhbz#1999865) * Wed Aug 25 2021 Fabian Affolter - 2.0.11-3 - Rebuilt * Thu Jul 22 2021 Fedora Release Engineering - 2.0.11-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1999865 - CVE-2021-34434 mosquitto: Existing subscriptions for that client are not revoked https://bugzilla.redhat.com/show_bug.cgi?id=1999865 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-aee8f32946' at the command line. For more information, refer to the dnf documentation availableat https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Sep 10, 2021
Fedora
197
security advisorydebianauthentication issueDebian 9: DLA-2400-1 Moderate: ActiveMQ Man-In-The-Middle Risk
Apache ActiveMQ, a Java message broker, uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2400-1
Oct 07, 2020
Debian LTS
98
security advisorybuffer overflowred hatRed Hat AMQ Clients 2.7.0 RHSA-2020:2605-01 Low Severity: Buffer Overflow
An update is now available for Red Hat AMQ Clients 2.7.0. Red Hat Product Security has rated this update as having a Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: AMQ Clients 2.7.0 Release Advisory ID: RHSA-2020:2605-01 Product: Red Hat AMQ Clients Advisory URL: https://access.redhat.com/errata/RHSA-2020:2605 Issue date: 2020-06-17 CVE Names: CVE-2020-11612 ==================================================================== 1. Summary: An update is now available for Red Hat AMQ Clients 2.7.0. Red Hat Product Security has rated this update as having a Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 6Client-AMQ-Clients-2 - i386, noarch, x86_64 6ComputeNode-AMQ-Clients-2 - noarch, x86_64 6Server-AMQ-Clients-2 - i386, noarch, x86_64 6Workstation-AMQ-Clients-2 - i386, noarch, x86_64 7Client-AMQ-Clients-2 - noarch, x86_64 7ComputeNode-AMQ-Clients-2 - noarch, x86_64 7Server-AMQ-Clients-2 - noarch, x86_64 7Workstation-AMQ-Clients-2 - noarch, x86_64 8Base-AMQ-Clients-2 - noarch, x86_64 3. Description: Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 6, 7, and 8. Security Fix(es): * netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) For more details about the security issue(s), including the impact, aCVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes 6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): ENTMQCL-1107 - [examples] Multi-process examples does not work on Windows ENTMQCL-1150 - AMQP Python clients missing for Windows users or other usersENTMQCL-1297 - [dotnet] .Net Framework 4.7 for AMQ Client 2.7.0 ENTMQCL-1736 - [python] Example helloworld_direct_tornado.py does not work ENTMQCL-1737 - [python] Example helloworld_tornado.py does not work ENTMQCL-1738 - [python] Example client_http.py does not work ENTMQCL-1739 - [dotnet] Support AMQ .NET Client with .NET Core 3.1 ENTMQCL-1854 - [python] ApplicationEvent causing memory growth ENTMQCL-1861 - [python] Memory leak on Container, SSL, and SSLDomain objects ENTMQCL-1922 - [ruby] rubygem doc is not multilib-clean for x86_64 vs i686 ENTMQCL-1985 - [dotnet] TcpKeepAliveSettings do not work on Linux ENTMQCL-761 - [python] Unable to run Proton on Windows with Python 3.6 64bit ENTMQCL-797 - [python] Support Python 3 on Windows 7. PackageList: 6Client-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el6_10amq.src.rpm qpid-proton-0.31.0-3.el6_10.src.rpm i386: python-qpid-proton-0.31.0-3.el6_10.i686.rpm qpid-proton-c-0.31.0-3.el6_10.i686.rpm qpid-proton-c-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.31.0-3.el6_10.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el6_10amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-tests-0.31.0-3.el6_10.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el6_10.x86_64.rpm qpid-cpp-client-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el6_10amq.x86_64.rpm qpid-proton-c-0.31.0-3.el6_10.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.x86_64.rpm 6ComputeNode-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el6_10amq.src.rpm qpid-proton-0.31.0-3.el6_10.src.rpm noarch: python-qpid-proton-docs-0.31.0-3.el6_10.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el6_10amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-tests-0.31.0-3.el6_10.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el6_10.x86_64.rpm qpid-cpp-client-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el6_10amq.x86_64.rpm qpid-proton-c-0.31.0-3.el6_10.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.x86_64.rpm 6Server-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el6_10amq.src.rpm qpid-proton-0.31.0-3.el6_10.src.rpm i386: python-qpid-proton-0.31.0-3.el6_10.i686.rpm qpid-proton-c-0.31.0-3.el6_10.i686.rpm qpid-proton-c-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.31.0-3.el6_10.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el6_10amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-tests-0.31.0-3.el6_10.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el6_10.x86_64.rpm qpid-cpp-client-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el6_10amq.x86_64.rpm qpid-proton-c-0.31.0-3.el6_10.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.x86_64.rpm 6Workstation-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el6_10amq.src.rpm qpid-proton-0.31.0-3.el6_10.src.rpm i386: python-qpid-proton-0.31.0-3.el6_10.i686.rpm qpid-proton-c-0.31.0-3.el6_10.i686.rpm qpid-proton-c-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-0.31.0-3.el6_10.i686.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.i686.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.i686.rpm noarch: python-qpid-proton-docs-0.31.0-3.el6_10.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el6_10amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el6_10.noarch.rpm qpid-proton-tests-0.31.0-3.el6_10.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el6_10.x86_64.rpm qpid-cpp-client-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el6_10amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el6_10amq.x86_64.rpm qpid-proton-c-0.31.0-3.el6_10.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-0.31.0-3.el6_10.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el6_10.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el6_10.x86_64.rpm 7Client-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el7amq.src.rpm qpid-proton-0.31.0-3.el7.src.rpm rubygem-qpid_proton-0.31.0-2.el7.src.rpm noarch: python-qpid-proton-docs-0.31.0-3.el7.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el7amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el7.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el7.noarch.rpm qpid-proton-tests-0.31.0-3.el7.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el7.x86_64.rpm qpid-cpp-client-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el7amq.x86_64.rpm qpid-proton-c-0.31.0-3.el7.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el7.x86_64.rpm rubygem-qpid_proton-0.31.0-2.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.31.0-2.el7.x86_64.rpm 7ComputeNode-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el7amq.src.rpm qpid-proton-0.31.0-3.el7.src.rpm rubygem-qpid_proton-0.31.0-2.el7.src.rpm noarch: python-qpid-proton-docs-0.31.0-3.el7.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el7amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el7.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el7.noarch.rpm qpid-proton-tests-0.31.0-3.el7.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el7.x86_64.rpm qpid-cpp-client-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el7amq.x86_64.rpm qpid-proton-c-0.31.0-3.el7.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el7.x86_64.rpm rubygem-qpid_proton-0.31.0-2.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.31.0-2.el7.x86_64.rpm 7Server-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el7amq.src.rpm qpid-proton-0.31.0-3.el7.src.rpm rubygem-qpid_proton-0.31.0-2.el7.src.rpm noarch: python-qpid-proton-docs-0.31.0-3.el7.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el7amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el7.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el7.noarch.rpm qpid-proton-tests-0.31.0-3.el7.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el7.x86_64.rpm qpid-cpp-client-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el7amq.x86_64.rpm qpid-proton-c-0.31.0-3.el7.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el7.x86_64.rpm rubygem-qpid_proton-0.31.0-2.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.31.0-2.el7.x86_64.rpm 7Workstation-AMQ-Clients-2: Source: qpid-cpp-1.36.0-30.el7amq.src.rpm qpid-proton-0.31.0-3.el7.src.rpm rubygem-qpid_proton-0.31.0-2.el7.src.rpm noarch: python-qpid-proton-docs-0.31.0-3.el7.noarch.rpm qpid-cpp-client-docs-1.36.0-30.el7amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el7.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el7.noarch.rpm qpid-proton-tests-0.31.0-3.el7.noarch.rpm x86_64: python-qpid-proton-0.31.0-3.el7.x86_64.rpm qpid-cpp-client-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-client-devel-1.36.0-30.el7amq.x86_64.rpm qpid-cpp-debuginfo-1.36.0-30.el7amq.x86_64.rpm qpid-proton-c-0.31.0-3.el7.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-0.31.0-3.el7.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el7.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el7.x86_64.rpm rubygem-qpid_proton-0.31.0-2.el7.x86_64.rpm rubygem-qpid_proton-debuginfo-0.31.0-2.el7.x86_64.rpm 8Base-AMQ-Clients-2: Source: nodejs-rhea-1.0.21-1.el8.src.rpm qpid-cpp-1.39.0-5.el8amq.src.rpm qpid-proton-0.31.0-3.el8.src.rpm rubygem-qpid_proton-0.31.0-2.el8.src.rpm noarch: nodejs-rhea-1.0.21-1.el8.noarch.rpm python-qpid-proton-docs-0.31.0-3.el8.noarch.rpm qpid-cpp-client-docs-1.39.0-5.el8amq.noarch.rpm qpid-proton-c-docs-0.31.0-3.el8.noarch.rpm qpid-proton-cpp-docs-0.31.0-3.el8.noarch.rpm qpid-proton-tests-0.31.0-3.el8.noarch.rpm x86_64: python3-qpid-proton-0.31.0-3.el8.x86_64.rpm python3-qpid-proton-debuginfo-0.31.0-3.el8.x86_64.rpm qpid-cpp-client-1.39.0-5.el8amq.x86_64.rpm qpid-cpp-client-debuginfo-1.39.0-5.el8amq.x86_64.rpm qpid-cpp-client-devel-1.39.0-5.el8amq.x86_64.rpm qpid-cpp-client-devel-debuginfo-1.39.0-5.el8amq.x86_64.rpm qpid-cpp-debuginfo-1.39.0-5.el8amq.x86_64.rpm qpid-cpp-debugsource-1.39.0-5.el8amq.x86_64.rpm qpid-proton-c-0.31.0-3.el8.x86_64.rpm qpid-proton-c-debuginfo-0.31.0-3.el8.x86_64.rpm qpid-proton-c-devel-0.31.0-3.el8.x86_64.rpm qpid-proton-cpp-0.31.0-3.el8.x86_64.rpm qpid-proton-cpp-debuginfo-0.31.0-3.el8.x86_64.rpm qpid-proton-cpp-devel-0.31.0-3.el8.x86_64.rpm qpid-proton-debuginfo-0.31.0-3.el8.x86_64.rpm qpid-proton-debugsource-0.31.0-3.el8.x86_64.rpm rubygem-qpid_proton-0.31.0-2.el8.x86_64.rpm rubygem-qpid_proton-debuginfo-0.31.0-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-11612 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_amq/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2.7.0 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBXupz+tzjgjWX9erEAQitQw/9HnhdaO3nFHTduoUE4v7i+9xCt3WXlKoK PpJjYcHzBnmkUx70QFxhHmSaaWfgydZwdiXkFQ0hjLbSg+PdD9np3/J/1FFYNKwh 8IRkFG/OOoZBz3lbqHowChC6QH1mYJoBCiEEumF0i+K5F/OCkBdF3fK8HLB0Hiqd eo/SuzxpMwnXjjxDknCNockzdZadyg0Y3kqXQxYHmjAXITa5ezcR/pQTC+OkBzf9 HfCFz9dcYOslLxbw+fRdkOHzSGYTbqpCummwaGxuQ+ksdZJaQM8PqKZAShIriafb Io3DpnNKuRpCk51C4NauHVF943rSQrYnTgNU9r7jNkkHOzfxY/zwjjfM3HxD/T4G 3HNPM/6uegzlJHo5kP9uIewes2dsWlcxT1oH7Xlp7ISooQYBSC6pbH39aHoWTMw+ F/PgZcE5tBvnaZgSLr/wAybQ+Ec03s5i/uUp4WRZvRcAZteEPu6WHp6ouhVtrC8u VZIPiCrWvvGU6YgMJCvVOjaoh/mOeLUJqRIGq4oO02SLcjGEdayIvGX3s/Yl8913 9PwYqRA16RlF2qj1HTxJw5t7pO6NPkafBeacSWElxQVxBYM7cBiPUARLt2kFot23 z0fr/mlMK7C7onRJn+d/ZnWpusJ0giwxpQQx9pUwEusEImXb4LnTIDEVgP9Mjd9m u7vNjqw8qGA=awfu -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 17, 2020
•Low
Red Hat
197
security advisorydebianaccess controlDebian: DLA-1972-1 Critical: Mosquitto Access Control Issues
Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker. . Package : mosquitto Version : 1.3.4-2+deb8u4 CVE ID : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551 CVE-2019-11779 Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker. CVE-2017-7655 A Null dereference vulnerability in the Mosquitto library could lead to crashes for those applications using the library. CVE-2018-12550 An ACL file with no statements was treated as having a default allow policy. The new behaviour of an empty ACL file is a default policy of access denied. (this is in compliance with all newer releases) CVE-2018-12551 Malformed authentication data in the password file could allow clients to circumvent authentication and get access to the broker. CVE-2019-11779 Fix for processing a crafted SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters. (setting TOPIC_HIERARCHY_LIMIT to 200) For Debian 8 "Jessie", these problems have been fixed in version 1.3.4-2+deb8u4. We recommend that you upgrade your mosquitto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . The newest release of mosquitto addresses various concerns, improving overall safety for users and safeguarding against possible vulnerabilities.. mosquitto security, Debian updates, MQTT broker vulnerability, ACL settings, message broker security. . Severity: Critical. LinuxSecurity.com Team
Oct 26, 2019
•Critical
Debian LTS
89
security advisoryfedorastack overflowFedora 31: FEDORA-2019-4c69fb4cd7 Moderate: Mosquitto Config Crash Fix
1.6.7 Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-4c69fb4cd7 2019-10-04 20:02:51.623142 --------------------------------------------------------------------------------Name : mosquitto Product : Fedora 31 Version : 1.6.7 Release : 1.fc31 URL : https://mosquitto.org/ Summary : An Open Source MQTT v3.1/v3.1.1 Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. --------------------------------------------------------------------------------Update Information: 1.6.7 ===== Broker: * Add workaround for working with libwebsockets 3.2.0. * Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of mosquitto_connect_async() not working. Clients: * mosquitto_sub: Fix -E incorrectly not working unless -d was also specified. * Updated documentation around automatic client ids. 1.6.6 ===== Security: * CVE-2019-11779 * Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Broker: * Restrict topic hierarchy to 200 levels to prevent possible stack overflow. * mosquitto_passwd now returns 1 when attempting to update a user that does notexist. 1.6.5 ===== Broker: * Fix v5 DISCONNECT packets with remaining length == 2 being treated as a protocol error. * Fix support for libwebsockets 3.x. * Fix slow websockets performance when sending large messages. * Fix bridges potentially not connecting on Windows. * Fix clients authorised using `use_identity_as_username` or `use_subject_as_username` being disconnected on SIGHUP. * Improve error messages in some situations when clients disconnect. Reduces the number of "Socket error on client X, disconnecting" messages. * Fix Will for v5 clients not being sent if will delay interval was greater than the session expiry interval. * Fix CRL file not being reloaded on HUP. * Fix repeated "Error in poll" messages on Windows when only websockets listeners are defined. Client library: * Fix reconnect backoff for the situation where connections are dropped rather than refused. * Fix missing locks on `mosq-> state`. Documentation: * Improve details on global/per listener options in the mosquitto.conf man page. * Clarify behaviour when clients exceed the `message_size_limit`. * Improve documentation for `max_inflight_bytes`, `max_inflight_messages`, and `max_queued_messages`. --------------------------------------------------------------------------------References: [ 1 ] Bug #1753846 - CVE-2019-11779 mosquitto: malicious MQTT sends SUBSCRIBE packet leads to stack over flow https://bugzilla.redhat.com/show_bug.cgi?id=1753846 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-4c69fb4cd7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 04, 2019
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!