| Package | mosquitto |
|---|---|
| Version | 1.5.7-1+deb10u2 (buster) |
| Related CVEs | CVE-2024-10525 |
CVE-2024-10525
If a malicious broker sends a crafted SUBACK packet with no reason codes, a
client using libmosquitto may make out of bounds memory access when acting in
its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr
clients.
For Debian 10 buster, these problems have been fixed in version 1.5.7-1+deb10u2.
We recommend that you upgrade your mosquitto packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.