This will be fixed soon, I would like to include an autopkgtest in the
package, otherwise this would have been updated already.
On Fri, 9 Apr 2021 at 20:27, Salvatore Bonaccorso wrote:
>
> Source: mosquitto
> Version: 2.0.9-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
>
> The following vulnerability was published for mosquitto.
>
> CVE-2021-28166[0]:
> | In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated
> | client that had connected with MQTT v5 sent a crafted CONNACK message
> | to the broker, a NULL pointer dereference would occur.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-28166
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
