摘要:
mosquitto security update
安全等级: Critical
公告ID: KylinSec-SA-2024-4988
发布日期: 2025年2月17日
关联CVE: CVE-2024-10525 CVE-2024-3935
Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.
Security Fix(es):
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.(CVE-2024-10525)
In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.(CVE-2024-3935)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-10525 | V6 | mosquitto | Fixed |
| CVE-2024-3935 | V6 | mosquitto | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| mosquitto | x86_64 | 2.0.20-2.ks6 |
| mosquitto-devel | x86_64 | 2.0.20-2.ks6 |
| mosquitto | aarch64 | 2.0.20-2.ks6 |
| mosquitto-devel | aarch64 | 2.0.20-2.ks6 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
