Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack. CVE-2021-34434 In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. CVE-2023-0809 Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. CVE-2023-3592 Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. CVE-2023-28366 The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Additionally CVE-2021-41039 has been fixed for Debian 11 Bullseye. CVE-2021-41039 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1. We recommend that you upgrade your mosquitto packages. For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto
Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
Additionally CVE-2021-41039 has been fixed for Debian 11 Bullseye
.
An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1.
For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.
We recommend that you upgrade your mosquitto packages.
For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto