UbuntuUpdates.org

Package "mosquitto-dev"

Name: mosquitto-dev

Description:

Development files for Mosquitto
Latest version: 2.0.11-1ubuntu1.2
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: mosquitto
Homepage: https://mosquitto.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "mosquitto-dev"

All arch deb package
APT INSTALL

Other versions of "mosquitto-dev" in Jammy

Repository Area Version
base universe 2.0.11-1ubuntu1
security universe 2.0.11-1ubuntu1.2

Changelog

Version: 2.0.11-1ubuntu1.2 2025-04-17 00:07:13 UTC

  mosquitto (2.0.11-1ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Double free Denial of Service
    - debian/patches/CVE-2024-3935.patch: Fix crash on bridge using
      remapped topic when broker sent crafted PUBLISH packet
    - CVE-2024-3935

  * SECURITY UPDATE: Heap Buffer Overflow
    - debian/patches/CVE-2024-10525.patch: Fix buffer overflow
      when SUBACK received missing reason codes
    - CVE-2024-10525

  * debian/tests/broker: Make all test python scripts executable
  * debian/tests/control: Add python3-psutil for broker

 -- Elise Hlady <email address hidden> Thu, 27 Mar 2025 16:06:18 -0700
Source diff to previous version
CVE-2024-3935 In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge
CVE-2024-10525 In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using lib

Version: 2.0.11-1ubuntu1.1 2023-11-21 15:13:50 UTC

  mosquitto (2.0.11-1ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Authorization bypass
    - debian/patches/CVE-2021-34434.patch: Fix $share subscriptions not
      being recovered for durable clients
    - CVE-2021-34434
  * SECURITY UPDATE: Denial of Service
   - debian/patches/CVE-2021-41039.patch: Fix CONNECT performance
    - debian/patches/CVE-2023-0809.patch: Fix excessive memory usage.
    - debian/patches/CVE-2023-3592.patch: Fix memory leak when clients
      send v5 CONNECT packets.
    - debian/patches/CVE-2023-28366-1.patch: Fix memory leak in broker
    - debian/patches/CVE-2023-28366-2.patch: Fix regression
    - CVE-2021-41039
    - CVE-2023-0809
    - CVE-2023-3592
    - CVE-2023-28366

 -- Giampaolo Fresi Roglia <email address hidden> Sun, 19 Nov 2023 19:09:47 +0100
CVE-2021-34434 In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is
CVE-2021-41039 In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CP
CVE-2023-0809 In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
CVE-2023-28366 The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages


About   -   Send Feedback to @ubuntu_updates