Bug 1214918 (CVE-2023-28366) - VUL-0: CVE-2023-28366: mosquitto: memory leak leads to unresponsive broker
Summary: VUL-0: CVE-2023-28366: mosquitto: memory leak leads to unresponsive broker
Status: NEW
Alias: CVE-2023-28366
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Martin Hauke
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/376976/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-04 06:01 UTC by Alexander Bergmann
Modified: 2023-12-30 23:35 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-09-04 06:01:12 UTC 
CVE-2023-28366

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory
leak that can be abused remotely when a client sends many QoS 2 messages with
duplicate message IDs, and fails to respond to PUBREC commands. This occurs
because of mishandling of EAGAIN from the libc send function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28366
https://bugzilla.redhat.com/show_bug.cgi?id=2236882
https://www.cve.org/CVERecord?id=CVE-2023-28366
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
Comment 1 OBSbugzilla Bot 2023-12-30 23:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1214918) was mentioned in
https://build.opensuse.org/request/show/1135795 Backports:SLE-15-SP6 / mosquitto