Ubuntu has released updated Eclipse Mosquitto packages that address multiple security vulnerabilities, including a specific issue where the client improperly managed memory upon receiving a SUBACK packet, which could potentially enable an attacker to execute arbitrary code or lead to a denial of service.

[USN-7441-1] Eclipse Mosquitto vulnerabilities

[USN-7441-1] Eclipse Mosquitto vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7441-1
April 16, 2025

mosquitto vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Eclipse Mosquitto.

Software Description:
- mosquitto: MQTT compatible message broker

Details:

It was discovered that Eclipse Mosquitto client incorrectly handled
memory when receiving a SUBACK packet. An attacker with a malicious
broker could possibly use this issue to execute arbitrary code or
cause a denial of service. (CVE-2024-10525)

Xiangpu Song discovered that Eclipse Mosquitto broker did not properly
manage memory under certain circumstances. A malicious client with a
remote connection could possibly use this issue to cause the broker to
crash resulting in a denial of service, or another unspecified impact.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-3935)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libmosquitto1 2.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmosquittopp1 2.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro
mosquitto 2.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro
mosquitto-clients 2.0.18-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
libmosquitto1 2.0.11-1ubuntu1.2
libmosquittopp1 2.0.11-1ubuntu1.2
mosquitto 2.0.11-1ubuntu1.2
mosquitto-clients 2.0.11-1ubuntu1.2

Ubuntu 20.04 LTS
libmosquitto1 1.6.9-1ubuntu0.1~esm2
Available with Ubuntu Pro
libmosquittopp1 1.6.9-1ubuntu0.1~esm2
Available with Ubuntu Pro
mosquitto 1.6.9-1ubuntu0.1~esm2
Available with Ubuntu Pro
mosquitto-clients 1.6.9-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libmosquitto1 1.4.15-2ubuntu0.18.04.3+esm2
Available with Ubuntu Pro
libmosquittopp1 1.4.15-2ubuntu0.18.04.3+esm2
Available with Ubuntu Pro
mosquitto 1.4.15-2ubuntu0.18.04.3+esm2
Available with Ubuntu Pro
mosquitto-clients 1.4.15-2ubuntu0.18.04.3+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libmosquitto1 1.4.8-1ubuntu0.16.04.7+esm2
Available with Ubuntu Pro
libmosquittopp1 1.4.8-1ubuntu0.16.04.7+esm2
Available with Ubuntu Pro
mosquitto 1.4.8-1ubuntu0.16.04.7+esm2
Available with Ubuntu Pro
mosquitto-clients 1.4.8-1ubuntu0.16.04.7+esm2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
libmosquitto0 0.15-2+deb7u3ubuntu0.1+esm1
Available with Ubuntu Pro
libmosquittopp0 0.15-2+deb7u3ubuntu0.1+esm1
Available with Ubuntu Pro
mosquitto 0.15-2+deb7u3ubuntu0.1+esm1
Available with Ubuntu Pro
mosquitto-clients 0.15-2+deb7u3ubuntu0.1+esm1
Available with Ubuntu Pro
python-mosquitto 0.15-2+deb7u3ubuntu0.1+esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7441-1
CVE-2024-10525, CVE-2024-3935

Package Information:
https://launchpad.net/ubuntu/+source/mosquitto/2.0.11-1ubuntu1.2