DSA-5511-1 mosquitto -- mosquittoID: oval:org.secpod.oval:def:95222 | Date: (C)2023-12-01 (M)2024-01-08 |
Class: PATCH | Family: unix |
Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack. CVE-2021-34434 In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. CVE-2023-0809 Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. CVE-2023-3592 Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. CVE-2023-28366 The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye". CVE-2021-41039 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
Platform: |
Linux Mint 6 |
Linux Mint 5 |
Product: |
mosquitto |
libmosquitto1 |
libmosquitto-dev |
libmosquittopp1 |
libmosquittopp-dev |