[Debian-iot-maintainers] Bug#1103927: bookworm-pu: package mosquitto/2.0.11-1.2+deb12u2

Philippe Coval rzr at users.sf.net
Tue Apr 22 22:12:58 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: mosquitto at packages.debian.org
Control: affects -1 + src:mosquitto

[ Reason ]

Handling mosquitto update for three remaining CVEs in debian stable

[ Impact ]

No know regressions identified so far.

[ Tests ]

It is passing autopkg tests:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21

Only the (testing) lintian check is failing.


[ Risks ]

Upstream did not review changes or provide feedback

https://github.com/eclipse-mosquitto/mosquitto/issues/2850#issuecomment-2711985017


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]

Please review each commits in branch:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits

For the record here is a copy of logs:

commit 08504471ac798736b7358654ca4b275d846dd381
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Mar 12 01:52:26 2025 +0100

    Update changelog for 2.0.11-1.2+deb12u2 release
    
    For the record I have double-checked AH patches
    they are cherry-picked from upstream
    only ChangeLog changes have been filtered.
    
    I also observed that the package is no more testable
    since upstream certificates expired, I removed them
    and I tweaked build script to generate them at buildtime,
    this way build is future proof.
    
    Make file change is under review upstream side
    
    Tests can be checked on related link,
    lintian error can be ignored on this stable update.
    
    Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21

commit 635885033dbce498eb0a59c7b955def3e422399d
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Mar 12 01:44:22 2025 +0100

    d/patches: Remove generated ssl certs

commit 25cbde2b89771cadec7dc0937f8530da6b94a27a
Author: Philippe Coval <rzr at users.sf.net>
Date:   Tue Mar 11 21:55:31 2025 +0100

    debian/tests: Check ssl certs before running tests
    
    Signed-off-by: Philippe Coval <rzr at users.sf.net>

commit 57b3e6d7869d2264529e449ef4d37a9a3d520f62
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Mar 12 01:43:55 2025 +0100

    d/patches: t/Makefile: Generate test certs if not present in sources

commit 11d912791b5174a9bf85730c03192cf0165c1fc2
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Mar 12 01:39:41 2025 +0100

    d/patches: Fixed issue in CA cert. creation

commit 156053cdcf1fc3b675888c702c6fd2a38e7baef4
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Mar 12 01:39:05 2025 +0100

    d/patches: Further fix for CVE-2023-28366.

commit 4071b67300f591a3833e68bda5c0bb5963cc46ca
Author: Andreas Henriksson <andreas at fatal.se>
Date:   Thu Feb 20 14:49:43 2025 +0000

    debian/patches/0017-Don-t-allow-SUBACK-with-missing-reason-codes.patch
    
    - cherry-pick upstream fix for CVE-2024-10525
    
    Gbp-Dch: Full

commit 80727e7edfe45aeda850cfbaa1c48803094079b3
Author: Andreas Henriksson <andreas at fatal.se>
Date:   Thu Feb 20 14:44:36 2025 +0000

    d/p/0016-Fix-crash-on-bridge-using-remapped-topic-being-sent-.patch
    
    - cherry-pick upstream fix for CVE-2024-3935
    
    Gbp-Dch: Full

commit 5611a152fa95d80c6fe3d403ffa279a2865ae575
Author: Andreas Henriksson <andreas at fatal.se>
Date:   Thu Feb 20 14:41:47 2025 +0000

    d/p/0015-Fix-QoS-1-QoS-2-publish-incorrectly-returning-no-sub.patch
    
    - cherry-pick upstream commit fixing regression in CVE-2024-8376 fix
    
    Gbp-Dch: Full

commit 3ff28254e68bb2ff1f5597a591bd7e6b6fb66267
Author: Philippe Coval <rzr at users.sf.net>
Date:   Wed Oct 30 20:50:16 2024 +0100

    d/p/series: Add patches for CVE-2024-8376
    
    Upstream has been confirmed that
    that is the only patch needed to fix CVE-2024-8376 (check related link).
    
    To apply v2.0.18-25-g3bb6c9da patch and mimimize conflicts resolutions,
    I have also picked 2 other changes:  v2.0.18-25-g3bb6c9da and v2.0.19.
    
    Bug-Debian: https://bugs.debian.org/1084982
    Relate-to: https://gitlab.eclipse.org/security/cve-assignement/-/issues/26#note_2848100
    Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
    Signed-off-by: Philippe Coval <rzr at users.sf.net>

commit 07f03f61440289bb435e127fa68e7892774e0795
Author: Philippe Coval <rzr at users.sf.net>
Date:   Mon Mar 10 22:52:29 2025 +0100

    Rediff patches

commit eb8fed861039acb7d6009638943cf44f0ea81944
Author: Philippe Coval <rzr at users.sf.net>
Date:   Sat Jul 8 10:06:41 2023 +0200

    debian/gbp.conf: Build for stable-sec
    
    Using "gbp buildpackage"
    
    debian/gbp.conf: Adjust path for stable
    debian/gbp.conf: Adjust path for stable-sec
    
    Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/22
    Signed-off-by: Philippe Coval <rzr at users.sf.net>

[ Other info ]

Related context in patches metadata:

debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/pull/3234
debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
debian/patches/CVE-2021-34434.patch:Bug-Debian: https://bugs.debian.org/993400
debian/patches/CVE-2021-34434.patch:Origin: https://github.com/eclipse/mosquitto/commit/32af599c81e63fa38e834b8f1c1f108c49328e95
debian/patches/CVE-2023-0809.patch:Origin: https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad
debian/patches/CVE-2023-28366.patch:Origin: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
debian/patches/CVE-2023-3592.patch:Origin: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa
debian/patches/CVE-2024-8376-1of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84
debian/patches/CVE-2024-8376-2of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17
debian/patches/CVE-2024-8376-3of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Origin: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian: https://bugs.debian.org/1001028
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41039
debian/patches/ssl-sslcontext-wrap_socket.patch:Bug-Ubuntu: https://launchpad.net/bugs/1960214
debian/patches/ssl-sslcontext-wrap_socket.patch:Forwarded: https://github.com/eclipse/mosquitto/pull/2451

More information about the Debian-iot-maintainers mailing list