Headline
Ubuntu Security Notice USN-6492-1
Ubuntu Security Notice 6492-1 - Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause an authorisation bypass. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.
==========================================================================Ubuntu Security Notice USN-6492-1November 21, 2023mosquitto vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Mosquitto.Software Description:- mosquitto: MQTT version 3.1/3.1.1 compatible message brokerDetails:Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certaininputs. If a user or an automated system were provided with a specially craftedinput, a remote attacker could possibly use this issue to cause a denial ofservice. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. Ifa user or an automated system were provided with a specially crafted input, aremote attacker could possibly use this issue to cause an authorisation bypass.This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquittoincorrectly handled certain inputs. If a user or an automated system wereprovided with a specially crafted input, a remote attacker could possibly usethis issue to cause a denial of service. This issue only affected Ubuntu 20.04LTS and Ubuntu 22.04 LTS. (CVE-2021-41039)Zhengjie Du discovered that Mosquitto incorrectly handled certain inputs. If auser or an automated system were provided with a specially crafted input file,a remote attacker could possibly use this issue to cause a denial of service.(CVE-2023-0809)It was discovered that Mosquitto incorrectly handled certain inputs. If a useror an automated system were provided with a specially crafted input, a remoteattacker could possibly use this issue to cause a denial of service.(CVE-2023-3592)Mischa Bachmann discovered that Mosquitto incorrectly handled certain inputs.If a user or an automated system were provided with a specially crafted input,a remote attacker could possibly use this issue to cause a denial of service.This issue was only fixed in Ubuntu 22.04 LTS and Ubuntu 23.04.(CVE-2023-28366)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04: mosquitto 2.0.11-1.2ubuntu0.1Ubuntu 22.04 LTS: mosquitto 2.0.11-1ubuntu1.1Ubuntu 20.04 LTS (Available with Ubuntu Pro): mosquitto 1.6.9-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6492-1 CVE-2021-34431, CVE-2021-34434, CVE-2021-41039, CVE-2023-0809, CVE-2023-28366, CVE-2023-3592Package Information: https://launchpad.net/ubuntu/+source/mosquitto/2.0.11-1.2ubuntu0.1 https://launchpad.net/ubuntu/+source/mosquitto/2.0.11-1ubuntu1.1
Related news
Red Hat Security Advisory 2024-1061-03 - An update is now available for Red Hat Satellite 6.13 for RHEL 8. Issues addressed include memory leak and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2024-0797-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include HTTP request smuggling, buffer overflow, denial of service, and memory leak vulnerabilities.
Gentoo Linux Security Advisory 202401-9 - Multiple vulnerabilities have been found in Eclipse Mosquitto which could result in denial of service. Versions greater than or equal to 2.0.17 are affected.
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.