Bug 29454

Summary: mosquitto new security issues fixed upstream in 2.0.12 (including CVE-2021-34434)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mosquitto-2.0.11-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-09-10 18:36:23 CEST 
Fedora has issued an advisory today (September 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K4WWGVF5BUFPYPCFUPPP4KRIYI5OTJN2/

The issue is fixed upstream in 2.0.12, along with a few others:
https://mosquitto.org/blog/2021/08/version-2-0-12-released/

Mageia 8 is also affected.
David Walser 2021-09-10 18:36:46 CEST

CC: (none) => geiger.david68210
Status comment: (none) => Fixed upstream in 2.0.12
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-09-10 20:02:33 CEST 
daviddavid is the active registered maintainer of 'mosquitto', so assigning this to you.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2021-09-12 01:52:16 CEST 
mosquitto-2.0.12-1.mga9 uploaded for Cauldron by Nicolas L.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: geiger.david68210 => mageia

Comment 3 Nicolas Lécureuil 2021-09-15 22:36:36 CEST 
this is fixed in mga8:

src:
    - mosquitto-2.0.12-1.mga8

Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 2.0.12 => (none)

Comment 4 David Walser 2021-09-16 04:41:41 CEST 
mosquitto-2.0.12-1.mga8
libmosquitto1-2.0.12-1.mga8
libmosquittopp1-2.0.12-1.mga8
libmosquitto-devel-2.0.12-1.mga8

from mosquitto-2.0.12-1.mga8.src.rpm
Comment 5 Thomas Andrews 2021-09-23 22:39:24 CEST 
Installed mosquitto and the first two libraries in a VirtualBox guest, then used QArepo to get the updates. No installation issues.

Using Bug 29024 as a reference, that was enough. 

Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-09-29 17:50:56 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-09-29 19:24:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0445.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED