[Buildroot] [PATCH v2] package/mosquitto: security bump to version 2.0.21
Julien Olivain
ju.o at free.fr
Tue Apr 15 17:27:01 UTC 2025
On 15/04/2025 05:58, Scott Fan wrote:
> Fixes the following security issues:
>
> - Fix leak on malicious SUBSCRIBE by authenticated client.
> Closes eclipse #248.
> - Further fix for CVE-2023-28366.
>
> Also drop the patch that was fixed in the v2.0.21, see the closed
> issues:
> https://github.com/eclipse-mosquitto/mosquitto/issues/3183
> https://github.com/eclipse-mosquitto/mosquitto/issues/3193
>
> However, the new version introduced a new issue, when WITH_TLS is off,
> the
> compilation will fail. It is already reported upstream with the issue:
> https://github.com/eclipse-mosquitto/mosquitto/issues/3246
>
> However, the upstream received two identical PRs, we quote the patch
> file
> of the earlier PR (#3227) here.
> https://github.com/eclipse-mosquitto/mosquitto/pull/3227
> https://github.com/eclipse-mosquitto/mosquitto/pull/3252
>
> For more details of v2.0.21, see the changelog:
> https://github.com/eclipse-mosquitto/mosquitto/blob/v2.0.21/ChangeLog.txt
>
> Signed-off-by: Scott Fan <fancp2007 at gmail.com>
Applied to master, thanks.
For info, I also fixed a check-package error by adding the
"Signed-off-by:" tags in the patch you added.
Best regards,
Julien.
More information about the buildroot
mailing list