CVE-2023-3592

Name	CVE-2023-3592
Description	In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5511-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mosquitto (PTS)	jessie, jessie (lts)	1.3.4-2+deb8u4	vulnerable
	stretch (security), stretch (lts), stretch	1.4.10-3+deb9u5	fixed
	buster, buster (security)	1.5.7-1+deb10u1	fixed
	bullseye (security), bullseye	2.0.11-1+deb11u1	fixed
	bookworm (security), bookworm	2.0.11-1.2+deb12u1	fixed
	sid, trixie	2.0.18-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
mosquitto	source	jessie	(unfixed)	end-of-life
mosquitto	source	stretch	(not affected)
mosquitto	source	buster	(not affected)
mosquitto	source	bullseye	2.0.11-1+deb11u1		DSA-5511-1
mosquitto	source	bookworm	2.0.11-1.2+deb12u1		DSA-5511-1
mosquitto	source	(unstable)	2.0.17-1

Notes

[buster] - mosquitto <not-affected> (The vulnerable code was introduced later)
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa (v2.0.16)
[stretch] - mosquitto <not-affected> (The vulnerable code was introduced later)