diff --git a/mosquitto-2.0.15.tar.gz b/mosquitto-2.0.15.tar.gz
deleted file mode 100644
index d3f93df..0000000
--- a/mosquitto-2.0.15.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4735b1d32e3f91c7a8896741d88a3022e89730a1ee897946decfa0df27039ac6
-size 792632
diff --git a/mosquitto-2.0.15.tar.gz.sig b/mosquitto-2.0.15.tar.gz.sig
deleted file mode 100644
index 7a4a531..0000000
--- a/mosquitto-2.0.15.tar.gz.sig
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmL7nMoACgkQd5si37Pn
-F7eTzg//USRDDrpqd5RG3/9bY172OMQ9WnekmESZP3mfXyxV3lAPiqqKR9ShjTvO
-B68pSxnbkxnKl1yX+hntdw941qQdaeexEIfQBeB1tq4TkKHcYjBBoCa1EpKbiUi+
-wbnw1RaKKkiNJZVuvcp3jDFXIOdqxUoBUzEnIy8dBOk7l3gxZEZCh1gdDvQFBd0D
-jw9FlhZYTE5SbVyCJ3fDzAoEsGe4qXeeNHrgKIImnFVuil30/PdB938wcMnGTTAz
-6XLyyvqp4yhMzODFIkl9BjX6GXK5pRmBYXkGLeXVepPiI+F1IrUwOiSYqRAC3Mt7
-eVoOecvkG2qms8zm2eC22bcSQcUTmCcvd4/mgbt1SmNiFoUrwgc3YGVfv3/tXD9O
-QXGY4ASw8YKJmxhPhmztOrD8rut650nJM388wJGAoigGIPgfLTRD+r1O/EO/CCQT
-4ux0H2HrWZ0Lf7NIpyR4sviezcmpgOuwFiZW4lNo4tlU7wP0KuGSC6D37ItMien5
-dA+2nGxjK6uGAIAoTU8qvCxxrUHvv03XVNsASjp/0Q4djh0AodpcsEMJDWGZ30XM
-W6BShMeSLP6+uMAWMyrF2oB4f+Jp/LYZ+nDGEleF6wIFhI74GXxWnoAfkmewaN66
-Q7vXUWxufUShozt9LMmEkvTyXit6vWIHRW0YDoLD1jRQYDvGRag=
-=4duc
------END PGP SIGNATURE-----
diff --git a/mosquitto-2.0.18.tar.gz b/mosquitto-2.0.18.tar.gz
new file mode 100644
index 0000000..b0dd44a
--- /dev/null
+++ b/mosquitto-2.0.18.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d665fe7d0032881b1371a47f34169ee4edab67903b2cd2b4c083822823f4448a
+size 796351
diff --git a/mosquitto-2.0.18.tar.gz.sig b/mosquitto-2.0.18.tar.gz.sig
new file mode 100644
index 0000000..d31de76
--- /dev/null
+++ b/mosquitto-2.0.18.tar.gz.sig
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmUIwT4ACgkQd5si37Pn
+F7cZfBAAp/pcUhCv3fguP2xroaQV1HC1Wl7KfEplF9cAkFnW893xgnSDo0qj8Mo2
+/DRekji8vZyoI3V2+S7QNFnbSjCsqfgnVSopHHOpm5xLWZ3xaQwo6FSfmgDEstIA
+YP5YoAbaTI69MbIqE1YqWISx/v0azc8T4zVQI8fMIew3GU8yg1ajaGJRH6kpskdg
+hzrxE97ET4pPEwEo1wVI/lx2QKXXMfDjhge97UH0XendlOJwpUdDVqFprKBctsKE
+9zUGAdN6UvTkCBJs2kFfqmNA2ivrbaUQs3v8Hn3cizNMOV+tbm4AGhBJ+jZAgx4d
+fp87+Pj4eiSs0o01gVsIUO4aQzwL2VM+ZNcRJHp/UZPEsaKlg6oS+nCceJg4N14V
+ue6HHc56RULQ/MFTLmK1uHtp6mWGi9Gqj/nIBh7je/uI+DzMUUpboYazjhH7pkhz
+KIQ07tDV/HJOKVupRc80qXp6z4mIlVH9eFvCWu6r1nRB053zv4Axvi/Br+Hygqe4
+0N/nxWFhl//xredL5eeh3U651WCjcgFazsboHqlDh/+aRMbAfPl22CoKr+4U5W5t
+ThvlrHpYekUvbd1WEJSM+DiiDzB4gfSRB91npQlbtbTOlZpfzeUt+QNSbAFIKWBF
+QPFCdddTFnDHd5bFFPjGqUdIzWbf9bSYn8QeNdcIRCkQLlmEZas=
+=Ucew
+-----END PGP SIGNATURE-----
diff --git a/mosquitto.changes b/mosquitto.changes
index d2a8543..af8f4bb 100644
--- a/mosquitto.changes
+++ b/mosquitto.changes
@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Sat Dec 30 21:03:04 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
+                    CVE-2023-0809, bsc#1215864, CVE-2023-3592):
+  * Fix crash on subscribe under certain unlikely conditions.
+  * Fix mosquitto_rr not honouring `-R`. Closes #2893.
+  * Fix `max_queued_messages 0` stopping clients from receiving
+    messages.
+  * Fix `max_inflight_messages` not being set correctly.
+  * Fix `mosquitto_passwd -U` backup file creation.
+  * CVE-2023-28366: Fix memory leak in broker when clients send
+    multiple QoS 2 messages with the same message ID, but then
+    never respond to the PUBREC commands.
+  * CVE-2023-0809: Fix excessive memory being allocated based on
+    malicious initial packets that are not CONNECT packets.
+  * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
+    packets with a will message that contains invalid property
+    types.
+  * Broker will now reject Will messages that attempt to publish
+    to $CONTROL/.
+  * Broker now validates usernames provided in a TLS certificate
+    or TLS-PSK identity are valid UTF-8.
+  * Fix potential crash when loading invalid persistence file.
+  * Library will no longer allow single level wildcard
+    certificates, e.g. *.com
+  * Fix $SYS messages being expired after 60 seconds and hence
+    unchanged values disappearing.
+  * Fix some retained topic memory not being cleared immediately
+    after used.
+  * Fix error handling related to the `bind_interface` option.
+  * Fix std* files not being redirected when daemonising, when
+    built with assertions removed.
+  * Fix default settings incorrectly allowing TLS v1.1.
+  * Use line buffered mode for stdout.
+  * Fix bridges with non-matching cleansession/local_cleansession
+    being expired on start after restoring from persistence
+  * Fix connections being limited to 2048 on Windows. The limit
+    is now 8192, where supported.
+  * Broker will log warnings if sensitive files are world
+    readable/writable, or if the owner/group is not the same as
+    the user/group the broker is running as. In future versions
+    the broker will refuse to open these files.
+  * mosquitto_memcmp_const is now more constant time.
+  * Only register with DLT if DLT logging is enabled.
+  * Fix any possible case where a json string might be
+    incorrectly loaded. This could have caused a crash if a
+    textname or textdescription field of a role was not a string,
+    when loading the dynsec config from file only.
+  * Dynsec plugin will not allow duplicate clients/groups/roles
+    when loading config from file, which matches the behaviour
+    for when creating them.
+  * Fix heap overflow when reading corrupt config with "log_dest
+    file".
+  * Use CLOCK_BOOTTIME when available, to keep track of time.
+    This solves the problem of the client OS sleeping and the
+    client hence not being able to calculate the actual time for
+    keepalive purposes.
+  * Fix default settings incorrectly allowing TLS v1.1. Closes
+  * Fix high CPU use on slow TLS connect.
+  * Fix incorrect topic-alias property value in mosquitto_sub
+    json output.
+  * Fix confusing message on TLS certificate verification.
+  * mosquitto_passwd uses mkstemp() for backup files.
+  * `mosquitto_ctrl dynsec init` will refuse to overwrite an
+    existing file, without a race-condition.
+
 -------------------------------------------------------------------
 Mon Aug 22 21:15:33 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
@@ -1049,19 +1116,19 @@ Sun Aug 19 16:38:42 UTC 2018 - mardnh@gmx.de
   * Fix building for libwebsockets < 1.6.
   * Fix accessor functions for username and client id when used in plugin auth
     check.
-  
+
   Library:
   * Fix some places where return codes were incorrect, including to the
     on_disconnect() callback. This has resulted in two new error codes,
     MOSQ_ERR_KEEPALIVE and MOSQ_ERR_LOOKUP.
   * Fix connection problems when mosquitto_loop_start() was called before
     mosquitto_connect_async().
-  
+
   Clients:
   * When compiled using WITH_TLS=no, the default port was incorrectly being set
     to -1. This has been fixed.
   * Fix compiling on Mac OS X <10.12.
-  
+
   Build:
   * Fixes for building on NetBSD.
   * Fixes for building on FreeBSD.
@@ -1074,7 +1141,7 @@ Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de
   Security:
   * Fix memory leak that could be caused by a malicious CONNECT packet. This
     does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)
-  
+
   Broker features:
   * Add per_listener_settings to allow authentication and access control to be
     per listener.
@@ -1152,7 +1219,7 @@ Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de
   * When a client with an in-use client-id connects, if the old client has a
     will, send the will message. Closes #26.
   * Fix parsing of configuration options that end with a space. Closes #804.
-  
+
   Client library features:
   * Outgoing messages with QoS>1 are no longer retried after a timeout period.
     Messages will be retried when a client reconnects.
@@ -1182,7 +1249,7 @@ Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de
   * Add MOSQ_OPT_SSL_CTX_WITH_DEFAULTS to work with MOSQ_OPT_SSL_CTX and have
     the default libmosquitto SSL_CTX configuration applied to the user provided
     SSL_CTX. Closes #567.
-  
+
   Client library fixes:
   * Fix incorrect PSK key being used if it had leading zeroes.
   * Initialise "result" variable as soon as possible in
@@ -1204,10 +1271,10 @@ Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de
   * Default to using port 8883 when using TLS.
   * mosquitto_sub doesn't continue to keep connecting if CONNACK tells it the
     connection was refused.
-  
+
   Client fixes:
   * Correctly handle empty files with "mosquitto_pub -l". Closes #676.
-  
+
   Build:
   * Add WITH_STRIP option (defaulting to "no") that when set to "yes" will strip
     executables and shared libraries when installing.
@@ -1216,7 +1283,7 @@ Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de
   * Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
   * Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are
     no longer supported by openssl.
-  
+
   Documentation:
   * Replace mentions of deprecated 'c_rehash' with 'openssl rehash'.
 
@@ -1238,7 +1305,7 @@ Thu Mar  1 14:37:54 UTC 2018 - mardnh@gmx.de
     limiting the size of remaining length to valid values. A "memory_limit"
     configuration option has also been added to allow the overall memory used by
     the broker to be limited.
-  
+
   Broker:
   * Use constant time memcmp for password comparisons.
   * Fix incorrect PSK key being used if it had leading zeroes.
@@ -1255,7 +1322,7 @@ Thu Mar  1 14:37:54 UTC 2018 - mardnh@gmx.de
   * Fix upgrade_outgoing_qos for retained message. Closes #534.
   * Fix CONNACK message not being sent for unauthorised connect on websockets.
     Closes #8.
-  
+
   Client library:
   * Fix incorrect PSK key being used if it had leading zeroes.
   * Initialise "result" variable as soon as possible in
@@ -1263,10 +1330,10 @@ Thu Mar  1 14:37:54 UTC 2018 - mardnh@gmx.de
   * No need to close socket again if setting non-blocking failed. Closes #649.
   * Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against
     foo/+/#. Closes #670.
-  
+
   Clients:
   * Correctly handle empty files with "mosquitto_pub -l". Closes #676.
-  
+
   Build:
   * Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
 -------------------------------------------------------------------
@@ -1303,7 +1370,7 @@ Wed Jul  5 20:35:17 UTC 2017 - mardnh@gmx.de
       This can also be fixed administratively, by restricting
       access to the directory in which the persistence file
       is stored.
-  
+
   * Broker:
     - Fix for poor websockets performance.
     - Fix lazy bridges not timing out for idle_timeout.
@@ -1319,7 +1386,7 @@ Wed Jul  5 20:35:17 UTC 2017 - mardnh@gmx.de
       option.  Partially closes #462.
     - Restrictions for CVE-2017-7650 have been relaxed - '/' is
       allowed in usernames/client ids. Remainder of fix for #462.
-  
+
   Clients:
     - Don't use / in auto-generated client ids.
 
diff --git a/mosquitto.spec b/mosquitto.spec
index ede3c09..e97ab87 100644
--- a/mosquitto.spec
+++ b/mosquitto.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package mosquitto
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define c_lib   libmosquitto1
 %define cpp_lib libmosquittopp1
 Name:           mosquitto
-Version:        2.0.15
+Version:        2.0.18
 Release:        0
 Summary:        A MQTT v3.1/v3.1.1 Broker
 License:        EPL-1.0