| Message ID | 20230820083613.35259-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/mosquitto: security bump to version 2.0.16 | expand |
Peter, All, On 2023-08-20 10:36 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > - CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 > messages with the same message ID, but then never respond to the PUBREC > commands. > - CVE-2023-0809: Fix excessive memory being allocated based on malicious > initial packets that are not CONNECT packets. > - CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a > will message that contains invalid property types. > - Broker will now reject Will messages that attempt to publish to $CONTROL/. > - Broker now validates usernames provided in a TLS certificate or TLS-PSK > identity are valid UTF-8. > - Fix potential crash when loading invalid persistence file. > - Library will no longer allow single level wildcard certificates, e.g. *.com > > For more details, see the changelog: > https://mosquitto.org/ChangeLog.txt > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/mosquitto/mosquitto.hash | 4 ++-- > package/mosquitto/mosquitto.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash > index 2cfd0d9422..cbe54d6d1a 100644 > --- a/package/mosquitto/mosquitto.hash > +++ b/package/mosquitto/mosquitto.hash > @@ -1,6 +1,6 @@ > # Locally calculated after checking gpg signature > -# from https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz.asc > -sha256 4735b1d32e3f91c7a8896741d88a3022e89730a1ee897946decfa0df27039ac6 mosquitto-2.0.15.tar.gz > +# from https://mosquitto.org/files/source/mosquitto-2.0.16.tar.gz.asc > +sha256 638db9e43e89d243ea98d10d66e76ff376131217780decd01abaffacc66d8035 mosquitto-2.0.16.tar.gz > > # License files > sha256 d3c4ccace4e5d3cc89d34cf2a0bc85b8596bfc0a32b815d0d77f9b7c41b5350c LICENSE.txt > diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk > index a95a2cac4d..f146a86d0a 100644 > --- a/package/mosquitto/mosquitto.mk > +++ b/package/mosquitto/mosquitto.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -MOSQUITTO_VERSION = 2.0.15 > +MOSQUITTO_VERSION = 2.0.16 > MOSQUITTO_SITE = https://mosquitto.org/files/source > MOSQUITTO_LICENSE = EPL-2.0 or EDLv1.0 > MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10 > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash index 2cfd0d9422..cbe54d6d1a 100644 --- a/package/mosquitto/mosquitto.hash +++ b/package/mosquitto/mosquitto.hash @@ -1,6 +1,6 @@ # Locally calculated after checking gpg signature -# from https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz.asc -sha256 4735b1d32e3f91c7a8896741d88a3022e89730a1ee897946decfa0df27039ac6 mosquitto-2.0.15.tar.gz +# from https://mosquitto.org/files/source/mosquitto-2.0.16.tar.gz.asc +sha256 638db9e43e89d243ea98d10d66e76ff376131217780decd01abaffacc66d8035 mosquitto-2.0.16.tar.gz # License files sha256 d3c4ccace4e5d3cc89d34cf2a0bc85b8596bfc0a32b815d0d77f9b7c41b5350c LICENSE.txt diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk index a95a2cac4d..f146a86d0a 100644 --- a/package/mosquitto/mosquitto.mk +++ b/package/mosquitto/mosquitto.mk @@ -4,7 +4,7 @@ # ################################################################################ -MOSQUITTO_VERSION = 2.0.15 +MOSQUITTO_VERSION = 2.0.16 MOSQUITTO_SITE = https://mosquitto.org/files/source MOSQUITTO_LICENSE = EPL-2.0 or EDLv1.0 MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
Fixes the following security issues: - CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands. - CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. - CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. - Broker will now reject Will messages that attempt to publish to $CONTROL/. - Broker now validates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8. - Fix potential crash when loading invalid persistence file. - Library will no longer allow single level wildcard certificates, e.g. *.com For more details, see the changelog: https://mosquitto.org/ChangeLog.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/mosquitto/mosquitto.hash | 4 ++-- package/mosquitto/mosquitto.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)