Security update for mosquitto SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2247-1 Final 1 1 2019-10-03T16:21:06Z current 2019-10-03T16:21:06Z 2019-10-03T16:21:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mosquitto This update for mosquitto fixes the following issues: - CVE-2019-11779: Fixed insufficient parsing of SUBSCRIBE packets that could lead to a stack overflow (bsc#1151494). This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2247 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HM4BH6TF6Y33PDPP5RQIILYN7TCGMPWW/#HM4BH6TF6Y33PDPP5RQIILYN7TCGMPWW E-Mail link for openSUSE-SU-2019:2247-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1151494 SUSE Bug 1151494 https://www.suse.com/security/cve/CVE-2019-11779/ SUSE CVE CVE-2019-11779 page SUSE Package Hub 15 SP1 libmosquitto1-1.5.7-bp151.3.3.1 libmosquittopp1-1.5.7-bp151.3.3.1 mosquitto-1.5.7-bp151.3.3.1 mosquitto-clients-1.5.7-bp151.3.3.1 mosquitto-devel-1.5.7-bp151.3.3.1 libmosquitto1-1.5.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 libmosquittopp1-1.5.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 mosquitto-1.5.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 mosquitto-clients-1.5.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 mosquitto-devel-1.5.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. CVE-2019-11779 SUSE Package Hub 15 SP1:libmosquitto1-1.5.7-bp151.3.3.1 SUSE Package Hub 15 SP1:libmosquittopp1-1.5.7-bp151.3.3.1 SUSE Package Hub 15 SP1:mosquitto-1.5.7-bp151.3.3.1 SUSE Package Hub 15 SP1:mosquitto-clients-1.5.7-bp151.3.3.1 SUSE Package Hub 15 SP1:mosquitto-devel-1.5.7-bp151.3.3.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HM4BH6TF6Y33PDPP5RQIILYN7TCGMPWW/#HM4BH6TF6Y33PDPP5RQIILYN7TCGMPWW https://www.suse.com/security/cve/CVE-2019-11779.html CVE-2019-11779 https://bugzilla.suse.com/1151494 SUSE Bug 1151494