Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: mosqui...@packages.debian.org Control: affects -1 + src:mosquitto
[ Reason ] Handling mosquitto update for three remaining CVEs in debian stable [ Impact ] No know regressions identified so far. [ Tests ] It is passing autopkg tests: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21 Only the (testing) lintian check is failing. [ Risks ] Upstream did not review changes or provide feedback https://github.com/eclipse-mosquitto/mosquitto/issues/2850#issuecomment-2711985017 [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] Please review each commits in branch: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits For the record here is a copy of logs: commit 08504471ac798736b7358654ca4b275d846dd381 Author: Philippe Coval <r...@users.sf.net> Date: Wed Mar 12 01:52:26 2025 +0100 Update changelog for 2.0.11-1.2+deb12u2 release For the record I have double-checked AH patches they are cherry-picked from upstream only ChangeLog changes have been filtered. I also observed that the package is no more testable since upstream certificates expired, I removed them and I tweaked build script to generate them at buildtime, this way build is future proof. Make file change is under review upstream side Tests can be checked on related link, lintian error can be ignored on this stable update. Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21 commit 635885033dbce498eb0a59c7b955def3e422399d Author: Philippe Coval <r...@users.sf.net> Date: Wed Mar 12 01:44:22 2025 +0100 d/patches: Remove generated ssl certs commit 25cbde2b89771cadec7dc0937f8530da6b94a27a Author: Philippe Coval <r...@users.sf.net> Date: Tue Mar 11 21:55:31 2025 +0100 debian/tests: Check ssl certs before running tests Signed-off-by: Philippe Coval <r...@users.sf.net> commit 57b3e6d7869d2264529e449ef4d37a9a3d520f62 Author: Philippe Coval <r...@users.sf.net> Date: Wed Mar 12 01:43:55 2025 +0100 d/patches: t/Makefile: Generate test certs if not present in sources commit 11d912791b5174a9bf85730c03192cf0165c1fc2 Author: Philippe Coval <r...@users.sf.net> Date: Wed Mar 12 01:39:41 2025 +0100 d/patches: Fixed issue in CA cert. creation commit 156053cdcf1fc3b675888c702c6fd2a38e7baef4 Author: Philippe Coval <r...@users.sf.net> Date: Wed Mar 12 01:39:05 2025 +0100 d/patches: Further fix for CVE-2023-28366. commit 4071b67300f591a3833e68bda5c0bb5963cc46ca Author: Andreas Henriksson <andr...@fatal.se> Date: Thu Feb 20 14:49:43 2025 +0000 debian/patches/0017-Don-t-allow-SUBACK-with-missing-reason-codes.patch - cherry-pick upstream fix for CVE-2024-10525 Gbp-Dch: Full commit 80727e7edfe45aeda850cfbaa1c48803094079b3 Author: Andreas Henriksson <andr...@fatal.se> Date: Thu Feb 20 14:44:36 2025 +0000 d/p/0016-Fix-crash-on-bridge-using-remapped-topic-being-sent-.patch - cherry-pick upstream fix for CVE-2024-3935 Gbp-Dch: Full commit 5611a152fa95d80c6fe3d403ffa279a2865ae575 Author: Andreas Henriksson <andr...@fatal.se> Date: Thu Feb 20 14:41:47 2025 +0000 d/p/0015-Fix-QoS-1-QoS-2-publish-incorrectly-returning-no-sub.patch - cherry-pick upstream commit fixing regression in CVE-2024-8376 fix Gbp-Dch: Full commit 3ff28254e68bb2ff1f5597a591bd7e6b6fb66267 Author: Philippe Coval <r...@users.sf.net> Date: Wed Oct 30 20:50:16 2024 +0100 d/p/series: Add patches for CVE-2024-8376 Upstream has been confirmed that that is the only patch needed to fix CVE-2024-8376 (check related link). To apply v2.0.18-25-g3bb6c9da patch and mimimize conflicts resolutions, I have also picked 2 other changes: v2.0.18-25-g3bb6c9da and v2.0.19. Bug-Debian: https://bugs.debian.org/1084982 Relate-to: https://gitlab.eclipse.org/security/cve-assignement/-/issues/26#note_2848100 Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21 Signed-off-by: Philippe Coval <r...@users.sf.net> commit 07f03f61440289bb435e127fa68e7892774e0795 Author: Philippe Coval <r...@users.sf.net> Date: Mon Mar 10 22:52:29 2025 +0100 Rediff patches commit eb8fed861039acb7d6009638943cf44f0ea81944 Author: Philippe Coval <r...@users.sf.net> Date: Sat Jul 8 10:06:41 2023 +0200 debian/gbp.conf: Build for stable-sec Using "gbp buildpackage" debian/gbp.conf: Adjust path for stable debian/gbp.conf: Adjust path for stable-sec Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/22 Signed-off-by: Philippe Coval <r...@users.sf.net> [ Other info ] Related context in patches metadata: debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/pull/3234 debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21 debian/patches/CVE-2021-34434.patch:Bug-Debian: https://bugs.debian.org/993400 debian/patches/CVE-2021-34434.patch:Origin: https://github.com/eclipse/mosquitto/commit/32af599c81e63fa38e834b8f1c1f108c49328e95 debian/patches/CVE-2023-0809.patch:Origin: https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad debian/patches/CVE-2023-28366.patch:Origin: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 debian/patches/CVE-2023-3592.patch:Origin: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa debian/patches/CVE-2024-8376-1of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84 debian/patches/CVE-2024-8376-2of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17 debian/patches/CVE-2024-8376-3of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79 debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Origin: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314 debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637 debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian: https://bugs.debian.org/1001028 debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41039 debian/patches/ssl-sslcontext-wrap_socket.patch:Bug-Ubuntu: https://launchpad.net/bugs/1960214 debian/patches/ssl-sslcontext-wrap_socket.patch:Forwarded: https://github.com/eclipse/mosquitto/pull/2451
