[Debian-iot-maintainers] Bug#1103927: bookworm-pu: package mosquitto/2.0.11-1.2+deb12u2
Philippe Coval
rzr at users.sf.net
Tue Apr 22 22:12:58 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: mosquitto at packages.debian.org
Control: affects -1 + src:mosquitto
[ Reason ]
Handling mosquitto update for three remaining CVEs in debian stable
[ Impact ]
No know regressions identified so far.
[ Tests ]
It is passing autopkg tests:
https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
Only the (testing) lintian check is failing.
[ Risks ]
Upstream did not review changes or provide feedback
https://github.com/eclipse-mosquitto/mosquitto/issues/2850#issuecomment-2711985017
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
Please review each commits in branch:
https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits
For the record here is a copy of logs:
commit 08504471ac798736b7358654ca4b275d846dd381
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Mar 12 01:52:26 2025 +0100
Update changelog for 2.0.11-1.2+deb12u2 release
For the record I have double-checked AH patches
they are cherry-picked from upstream
only ChangeLog changes have been filtered.
I also observed that the package is no more testable
since upstream certificates expired, I removed them
and I tweaked build script to generate them at buildtime,
this way build is future proof.
Make file change is under review upstream side
Tests can be checked on related link,
lintian error can be ignored on this stable update.
Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
commit 635885033dbce498eb0a59c7b955def3e422399d
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Mar 12 01:44:22 2025 +0100
d/patches: Remove generated ssl certs
commit 25cbde2b89771cadec7dc0937f8530da6b94a27a
Author: Philippe Coval <rzr at users.sf.net>
Date: Tue Mar 11 21:55:31 2025 +0100
debian/tests: Check ssl certs before running tests
Signed-off-by: Philippe Coval <rzr at users.sf.net>
commit 57b3e6d7869d2264529e449ef4d37a9a3d520f62
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Mar 12 01:43:55 2025 +0100
d/patches: t/Makefile: Generate test certs if not present in sources
commit 11d912791b5174a9bf85730c03192cf0165c1fc2
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Mar 12 01:39:41 2025 +0100
d/patches: Fixed issue in CA cert. creation
commit 156053cdcf1fc3b675888c702c6fd2a38e7baef4
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Mar 12 01:39:05 2025 +0100
d/patches: Further fix for CVE-2023-28366.
commit 4071b67300f591a3833e68bda5c0bb5963cc46ca
Author: Andreas Henriksson <andreas at fatal.se>
Date: Thu Feb 20 14:49:43 2025 +0000
debian/patches/0017-Don-t-allow-SUBACK-with-missing-reason-codes.patch
- cherry-pick upstream fix for CVE-2024-10525
Gbp-Dch: Full
commit 80727e7edfe45aeda850cfbaa1c48803094079b3
Author: Andreas Henriksson <andreas at fatal.se>
Date: Thu Feb 20 14:44:36 2025 +0000
d/p/0016-Fix-crash-on-bridge-using-remapped-topic-being-sent-.patch
- cherry-pick upstream fix for CVE-2024-3935
Gbp-Dch: Full
commit 5611a152fa95d80c6fe3d403ffa279a2865ae575
Author: Andreas Henriksson <andreas at fatal.se>
Date: Thu Feb 20 14:41:47 2025 +0000
d/p/0015-Fix-QoS-1-QoS-2-publish-incorrectly-returning-no-sub.patch
- cherry-pick upstream commit fixing regression in CVE-2024-8376 fix
Gbp-Dch: Full
commit 3ff28254e68bb2ff1f5597a591bd7e6b6fb66267
Author: Philippe Coval <rzr at users.sf.net>
Date: Wed Oct 30 20:50:16 2024 +0100
d/p/series: Add patches for CVE-2024-8376
Upstream has been confirmed that
that is the only patch needed to fix CVE-2024-8376 (check related link).
To apply v2.0.18-25-g3bb6c9da patch and mimimize conflicts resolutions,
I have also picked 2 other changes: v2.0.18-25-g3bb6c9da and v2.0.19.
Bug-Debian: https://bugs.debian.org/1084982
Relate-to: https://gitlab.eclipse.org/security/cve-assignement/-/issues/26#note_2848100
Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
Signed-off-by: Philippe Coval <rzr at users.sf.net>
commit 07f03f61440289bb435e127fa68e7892774e0795
Author: Philippe Coval <rzr at users.sf.net>
Date: Mon Mar 10 22:52:29 2025 +0100
Rediff patches
commit eb8fed861039acb7d6009638943cf44f0ea81944
Author: Philippe Coval <rzr at users.sf.net>
Date: Sat Jul 8 10:06:41 2023 +0200
debian/gbp.conf: Build for stable-sec
Using "gbp buildpackage"
debian/gbp.conf: Adjust path for stable
debian/gbp.conf: Adjust path for stable-sec
Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/22
Signed-off-by: Philippe Coval <rzr at users.sf.net>
[ Other info ]
Related context in patches metadata:
debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/pull/3234
debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
debian/patches/CVE-2021-34434.patch:Bug-Debian: https://bugs.debian.org/993400
debian/patches/CVE-2021-34434.patch:Origin: https://github.com/eclipse/mosquitto/commit/32af599c81e63fa38e834b8f1c1f108c49328e95
debian/patches/CVE-2023-0809.patch:Origin: https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad
debian/patches/CVE-2023-28366.patch:Origin: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
debian/patches/CVE-2023-3592.patch:Origin: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa
debian/patches/CVE-2024-8376-1of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84
debian/patches/CVE-2024-8376-2of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17
debian/patches/CVE-2024-8376-3of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Origin: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian: https://bugs.debian.org/1001028
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41039
debian/patches/ssl-sslcontext-wrap_socket.patch:Bug-Ubuntu: https://launchpad.net/bugs/1960214
debian/patches/ssl-sslcontext-wrap_socket.patch:Forwarded: https://github.com/eclipse/mosquitto/pull/2451
More information about the Debian-iot-maintainers
mailing list