products/PackageHub
SHA256
32
2
Fork 16
Code Issues Pull Requests 22 Actions Activity

Pull request for security update for mosquitto #471

Manually merged
products merged 1 commits from rfrohl/PackageHub:maintenance-update-1771837931 into leap-16.0 2026-02-23 19:07:36 +01:00
Conversation 22 Commits 1 Files Changed 2 +89 -1
2 changed files with 89 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
mosquitto

Submodule mosquitto updated: fd40b6c60a...64e47e8efe

88
patchinfo.20260223091213884795.93181000773252/_patchinfo Normal file
View File

@@ -0,0 +1,88 @@
<patchinfo>
<issue tracker="bnc" id="1258671">Mosquitto versions &gt; 2.0.11 and &lt; 2.0.23 have a data loss bug</issue>
<issue tracker="cve" id="2024-3935">VUL-0: CVE-2024-3935: mosquitto: double free and subsequent crash when running under bridge mode and processing remote connections</issue>
<issue tracker="bnc" id="1232636">VUL-0: CVE-2024-10525: mosquitto: out-of-bounds memory access when acting in an on_subscribe callback for a crafted SUBACK packet with no reason codes</issue>
<issue tracker="bnc" id="1232635">VUL-0: CVE-2024-3935: mosquitto: double free and subsequent crash when running under bridge mode and processing remote connections</issue>
<issue tracker="cve" id="2024-10525">VUL-0: CVE-2024-10525: mosquitto: out-of-bounds memory access when acting in an on_subscribe callback for a crafted SUBACK packet with no reason codes</issue>
<packager>AndreasStieger</packager>
<rating>critical</rating>
<category>security</category>
<summary>Security update for mosquitto</summary>
<description>This update for mosquitto fixes the following issues:
Changes in mosquitto:
- update to 2.0.23 (boo#1258671)
* Fix handling of disconnected sessions for `per_listener_settings
true`
* Check return values of openssl *_get_ex_data() and
*_set_ex_data() to prevent possible crash. This could occur only
in extremely unlikely situations
* Check return value of openssl ASN1_string_[get0_]data()
functions for NULL. This prevents a crash in case of incorrect
certificate handling in openssl
* Fix potential crash on startup if a malicious/corrupt
persistence file from mosquitto 1.5 or earlier is loaded
* Limit auto_id_prefix to 50 characters
- Update to version 2.0.22
Broker
* Bridge: Fix idle_timeout never occurring for lazy bridges.
* Fix case where max_queued_messages = 0 was not treated as
unlimited.
* Fix --version exit code and output.
* Fix crash on receiving a $CONTROL message over a bridge, if
per_listener_settings is set true and the bridge is carrying
out topic remapping.
* Fix incorrect reference clock being selected on startup on
Linux. Closes #3238.
* Fix reporting of client disconnections being incorrectly
attributed to "out of memory".
* Fix compilation when using WITH_OLD_KEEPALIVE.
* Fix problems with secure websockets.
* Fix crash on exit when using WITH_EPOLL=no.
* Fix clients being incorrectly expired when they have
keepalive == max_keepalive. Closes #3226, #3286.
Dynamic security plugin
* Fix mismatch memory free when saving config which caused
memory tracking to be incorrect.
Client library
* Fix C++ symbols being removed when compiled with link time
optimisation.
* TLS error handling was incorrectly setting a protocol error
for non-TLS errors. This would cause the mosquitto_loop_start()
thread to exit if no broker was available on the first
connection attempt. This has been fixed. Closes #3258.
* Fix linker errors on some architectures using cmake.
- Update to version 2.0.21
Broker
* Fix clients sending a RESERVED packet not being quickly
disconnected.
* Fix bind_interface producing an error when used with an
interface that has an IPv6 link-local address and no other
IPv6 addresses.
* Fix mismatched wrapped/unwrapped memory alloc/free in
properties.
* Fix allow_anonymous false not being applied in local only mode.
* Add retain_expiry_interval option to fix expired retained
message not being removed from memory if they are not
subscribed to.
* Produce an error if invalid combinations of
cafile/capath/certfile/keyfile are used.
* Backport keepalive checking from develop to fix problems in
current implementation.
Client library
* Fix potential deadlock in mosquitto_sub if -W is used.
Apps
* mosquitto_ctrl dynsec now also allows -i to specify a clientid
as well as -c. This matches the documentation which states -i.
Tests
* Fix 08-ssl-connect-cert-auth-expired and
08-ssl-connect-cert-auth-revoked tests when under load.
- systemd service: Wait till the network got setup to avoid
startup failure.
</description>
<package>mosquitto</package>
</patchinfo>