From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Titouan Christophe <titouanchristophe@gmail.com>
Subject: [Buildroot] [PATCH] package/mosquitto: security bump to version 2.0.16
Date: Sun, 20 Aug 2023 10:36:13 +0200 [thread overview]
Message-ID: <20230820083613.35259-1-peter@korsgaard.com> (raw)
Fixes the following security issues:
- CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2
messages with the same message ID, but then never respond to the PUBREC
commands.
- CVE-2023-0809: Fix excessive memory being allocated based on malicious
initial packets that are not CONNECT packets.
- CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a
will message that contains invalid property types.
- Broker will now reject Will messages that attempt to publish to $CONTROL/.
- Broker now validates usernames provided in a TLS certificate or TLS-PSK
identity are valid UTF-8.
- Fix potential crash when loading invalid persistence file.
- Library will no longer allow single level wildcard certificates, e.g. *.com
For more details, see the changelog:
https://mosquitto.org/ChangeLog.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/mosquitto/mosquitto.hash | 4 ++--
package/mosquitto/mosquitto.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash
index 2cfd0d9422..cbe54d6d1a 100644
--- a/package/mosquitto/mosquitto.hash
+++ b/package/mosquitto/mosquitto.hash
@@ -1,6 +1,6 @@
# Locally calculated after checking gpg signature
-# from https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz.asc
-sha256 4735b1d32e3f91c7a8896741d88a3022e89730a1ee897946decfa0df27039ac6 mosquitto-2.0.15.tar.gz
+# from https://mosquitto.org/files/source/mosquitto-2.0.16.tar.gz.asc
+sha256 638db9e43e89d243ea98d10d66e76ff376131217780decd01abaffacc66d8035 mosquitto-2.0.16.tar.gz
# License files
sha256 d3c4ccace4e5d3cc89d34cf2a0bc85b8596bfc0a32b815d0d77f9b7c41b5350c LICENSE.txt
diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk
index a95a2cac4d..f146a86d0a 100644
--- a/package/mosquitto/mosquitto.mk
+++ b/package/mosquitto/mosquitto.mk
@@ -4,7 +4,7 @@
#
################################################################################
-MOSQUITTO_VERSION = 2.0.15
+MOSQUITTO_VERSION = 2.0.16
MOSQUITTO_SITE = https://mosquitto.org/files/source
MOSQUITTO_LICENSE = EPL-2.0 or EDLv1.0
MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v20 edl-v10
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2023-08-20 8:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-20 8:36 Peter Korsgaard [this message]
2023-08-20 8:59 ` [Buildroot] [PATCH] package/mosquitto: security bump to version 2.0.16 Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230820083613.35259-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=titouanchristophe@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox