Bug 1214918 (CVE-2023-28366)

Summary: VUL-0: CVE-2023-28366: mosquitto: memory leak leads to unresponsive broker
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Martin Hauke <mardnh>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/376976/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-04 06:01:12 UTC 
CVE-2023-28366

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory
leak that can be abused remotely when a client sends many QoS 2 messages with
duplicate message IDs, and fails to respond to PUBREC commands. This occurs
because of mishandling of EAGAIN from the libc send function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28366
https://bugzilla.redhat.com/show_bug.cgi?id=2236882
https://www.cve.org/CVERecord?id=CVE-2023-28366
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
Comment 1 OBSbugzilla Bot 2023-12-30 23:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1214918) was mentioned in
https://build.opensuse.org/request/show/1135795 Backports:SLE-15-SP6 / mosquitto