-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 30 Sep 2023 20:57:20 CEST
Source: mosquitto
Architecture: source
Version: 2.0.11-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 32d901018a30a4e5c479a415f8314d8b902ec920 2632 mosquitto_2.0.11-1+deb11u1.dsc
 e39d44425a006c4c7e11a9320e159557d14deefa 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz
 2c5d839717a845ce846e6ad12312b2e565c60987 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 2f8124229527652ee0e7cfe4afeab444cbc44dd4006e9c5b4a09866aeec86c77 2632 mosquitto_2.0.11-1+deb11u1.dsc
 ba81896d3a06d7b3736ac4f7265f816be91f4e75481264830c1e78aeebd495a2 32132 mosquitto_2.0.11-1+deb11u1.debian.tar.xz
 b2c7c8f9c7a01e6b1dcf036480c88a42abf1740c186fad02f0145ff2d5fb4b20 10917 mosquitto_2.0.11-1+deb11u1_amd64.buildinfo
Changes:
 mosquitto (2.0.11-1+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload.
   * Several security vulnerabilities have been discovered in mosquitto, a MQTT
     compatible message broker, which may be abused for a denial of service
     attack.
   * CVE-2021-34434:
     In Eclipse Mosquitto when using the dynamic security plugin, if the ability
     for a client to make subscriptions on a topic is revoked when a durable
     client is offline, then existing subscriptions for that client are not
     revoked.
   * CVE-2021-41039:
     An MQTT v5 client connecting with a large number of user-property
     properties could cause excessive CPU usage, leading to a loss of
     performance and possible denial of service.
   * CVE-2023-0809:
     Fix excessive memory being allocated based on malicious initial packets
     that are not CONNECT packets.
   * CVE-2023-3592:
     Fix memory leak when clients send v5 CONNECT packets with a will message
     that contains invalid property types.
   * Fix CVE-2023-28366:
     The broker in Eclipse Mosquitto has a memory leak that can be abused
     remotely when a client sends many QoS 2 messages with duplicate message
     IDs, and fails to respond to PUBREC commands. This occurs because of
     mishandling of EAGAIN from the libc send function.
Files:
 516d1b6c1b9d72d17196337bc6a0c83d 2632 net optional mosquitto_2.0.11-1+deb11u1.dsc
 a6bc011197f7cc3aeacc7e683d2d7395 32132 net optional mosquitto_2.0.11-1+deb11u1.debian.tar.xz
 77e9e3929ddc933ad7e17e30756d457b 10917 net optional mosquitto_2.0.11-1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYhzlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkk3gP/0g04NrM4PZqyI06vQwy0bAnQ+dDCaFOtLzP
c1MzAgpbq8HhEQx4EPGdD5sc2KYJvrps7OS8B/rpKCO9m7RRhFFYrTWwWL7SQYwF
jaIjDjUNxQ2HfY1AjoFdn62qRwN0oyQF1gg2AhcHdsDspUnT5iBC6oKl7eiuTOPC
AX4+BBiMbt+G28jdFTnbsRRBclz25VjHxfSk4JnAq58Q4g27TXvi9+h5Zpnjm5mb
AItJiKV9VqwCA+sNRfJvrcUFAUxFc3DYOxC7XWcd/nExLJ+GxYiBuX+wwwMINCrB
aN5HOK1+TGU7FdjyOknGbK8u3Q2DtByG1Y2656s48909tLhC0Yv5/Rfsc0c6JOip
yKnTO3WAImkESGYoAVoVWrZcIh2pxjxu7u+1TABMYcyenZdObY6wVABlFVP3QAM4
5MLvZkfHJx2me4iThOyEZihTVYJwb0RGpWAlp9vCDoQnUEgTAh2jAcfHezGxq+Hw
f/BqKE2XfPR/L/rs0d+1M11odKo/+GVODdt5xSuYWJ0r37W11lDPIOI+PBzSFCq/
A7fORJL5jKqL+a7qW13YB5MuXShXG47lTcLQOiZ/ka9hxTyOk5nSfnYn6bpwSwJj
5/6AzAwg6TQVibYJXEwvbPS0pgn8ADz1mvJ02/1FocGkFw6rH+uqyVGAxrsI6/jS
0Jj18s2X
=ed+J
-----END PGP SIGNATURE-----