[Buildroot] [PATCH] package/mosquitto: security bump to version 2.0.21

Peter Korsgaard peter at korsgaard.com
Mon Apr 14 13:23:55 UTC 2025 

>>>>> "Scott" == Scott Fan <fancp2007 at gmail.com> writes:

 > Fixes the following security issues:
 > - Fix leak on malicious SUBSCRIBE by authenticated client.
 >   Closes eclipse #248.
 > - Further fix for CVE-2023-28366.

 > Also drop the patch that was fixed in the v2.0.21, see the closed issues:
 > https://github.com/eclipse-mosquitto/mosquitto/issues/3183
 > https://github.com/eclipse-mosquitto/mosquitto/issues/3193

 > For more details, see the changelog:
 > https://github.com/eclipse-mosquitto/mosquitto/blob/v2.0.21/ChangeLog.txt

 > Signed-off-by: Scott Fan <fancp2007 at gmail.com>

It unfortunately seems to be broken for non-openssl builds:

arm-none-linux-gnueabihf-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I. -I.. -I../include -I../../include -I../lib -DWITH_BRIDGE -DWITH_PERSISTENCE -DWITH_MEMORY_TRACKING -DWITH_SYS_TREE -DWITH_EC -DWITH_ADNS -DWITH_CONTROL -DWITH_UNIX_SOCKETS -DWITH_EPOLL -I../deps -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -O2 -g0 -D_FORTIFY_SOURCE=1 -DVERSION="\"2.0.21\"" -DWITH_BROKER -c conf.c -o conf.o
conf.c: In function ‘config__check’:
conf.c:2318:54: error: ‘struct mosquitto__listener’ has no member named ‘cafile’
 2318 |                  bool cafile = !!config->listeners[i].cafile;
      |                                                      ^
conf.c:2319:54: error: ‘struct mosquitto__listener’ has no member named ‘capath’
 2319 |                  bool capath = !!config->listeners[i].capath;
      |                                                      ^
conf.c:2320:56: error: ‘struct mosquitto__listener’ has no member named ‘certfile’
 2320 |                  bool certfile = !!config->listeners[i].certfile;
      |                                                        ^
conf.c:2321:55: error: ‘struct mosquitto__listener’ has no member named ‘keyfile’
 2321 |                  bool keyfile = !!config->listeners[i].keyfile;
      |                                                       ^

E.G. with the following defconfig:

cat defconfig
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MOSQUITTO=y

It looks like some code is missing the WITH_TLS conditional. Care to
have a look at fixing that?

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list