This will be fixed soon, I would like to include an autopkgtest in the package, otherwise this would have been updated already.
On Fri, 9 Apr 2021 at 20:27, Salvatore Bonaccorso <car...@debian.org> wrote: > > Source: mosquitto > Version: 2.0.9-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for mosquitto. > > CVE-2021-28166[0]: > | In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated > | client that had connected with MQTT v5 sent a crafted CONNACK message > | to the broker, a NULL pointer dereference would occur. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-28166 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166 > [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
