Ubuntu has announced the release of updated Eclipse Mosquitto packages to address several critical security vulnerabilities. One significant issue involves the improper handling of memory by the Mosquitto client when it receives a SUBACK packet, which could allow an attacker to execute arbitrary code or cause a denial of service (DoS). Additionally, there was a problem with the Mosquitto broker that could lead to a DoS if a malicious client exploited the memory management flaws, specifically affecting Ubuntu versions 22.04 LTS and 24.04 LTS.
The affected Ubuntu releases include:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
To resolve these vulnerabilities, users are advised to update their systems to the latest package versions. Each version of Ubuntu has specific package updates listed, which can be accessed through Ubuntu Pro.
For example, the updated packages for Ubuntu 24.04 LTS include:
- libmosquitto1: 2.0.18-1ubuntu0.1~esm1
- libmosquittopp1: 2.0.18-1ubuntu0.1~esm1
- mosquitto: 2.0.18-1ubuntu0.1~esm1
- mosquitto-clients: 2.0.18-1ubuntu0.1~esm1
Users of Ubuntu 22.04 LTS and other older versions will have similarly specific updates available. A standard system update is sufficient to implement these changes.
The affected Ubuntu releases include:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
To resolve these vulnerabilities, users are advised to update their systems to the latest package versions. Each version of Ubuntu has specific package updates listed, which can be accessed through Ubuntu Pro.
For example, the updated packages for Ubuntu 24.04 LTS include:
- libmosquitto1: 2.0.18-1ubuntu0.1~esm1
- libmosquittopp1: 2.0.18-1ubuntu0.1~esm1
- mosquitto: 2.0.18-1ubuntu0.1~esm1
- mosquitto-clients: 2.0.18-1ubuntu0.1~esm1
Users of Ubuntu 22.04 LTS and other older versions will have similarly specific updates available. A standard system update is sufficient to implement these changes.
Extension:
To maintain a secure and efficient environment, users of Eclipse Mosquitto and Ubuntu should regularly monitor security notices and apply updates promptly. The vulnerabilities highlighted underscore the importance of robust memory management in software, especially for applications that handle network communications like MQTT brokers. Users should also consider implementing additional security measures, such as using firewalls and intrusion detection systems, to further protect their systems against potential attacks. Additionally, organizations using these packages should conduct regular security audits and consider upgrading to newer LTS versions to benefit from improved security features and ongoing supportEclipse Mosquitto updates for Ubuntu
Ubuntu has released updated Eclipse Mosquitto packages that address multiple security vulnerabilities, including a specific issue where the client improperly managed memory upon receiving a SUBACK packet, which could potentially enable an attacker to execute arbitrary code or lead to a denial of service.
[USN-7441-1] Eclipse Mosquitto vulnerabilities
