File _patchinfo of Package patchinfo.18988

<patchinfo incident="18988">
  <issue tracker="cve" id="2024-3935"/>
  <issue tracker="cve" id="2024-10525"/>
  <issue tracker="bnc" id="1232636">VUL-0: CVE-2024-10525: mosquitto: out-of-bounds memory access when acting in an on_subscribe callback for a crafted SUBACK packet with no reason codes</issue>
  <issue tracker="bnc" id="1232635">VUL-0: CVE-2024-3935: mosquitto: double free and subsequent crash when running under bridge mode and processing remote connections</issue>
  <packager>dirkmueller</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for mosquitto</summary>
  <description>This update for mosquitto fixes the following issues:

mosquitto was update to version 2.0.21:

* Broker

  * Fix clients sending a RESERVED packet not being quickly
    disconnected.
  * Fix bind_interface producing an error when used with an
    interface that has an IPv6 link-local address and no other
    IPv6 addresses.
  * Fix mismatched wrapped/unwrapped memory alloc/free in
    properties.
  * Fix allow_anonymous false not being applied in local only mode.
  * Add retain_expiry_interval option to fix expired retained
    message not being removed from memory if they are not
    subscribed to.
  * Produce an error if invalid combinations of
    cafile/capath/certfile/keyfile are used.
  * Backport keepalive checking from develop to fix problems in
    current implementation.

* Client library

  * Fix potential deadlock in mosquitto_sub if -W is used.

* Apps

  * mosquitto_ctrl dynsec now also allows -i to specify a clientid
    as well as -c. This matches the documentation which states -i.

- systemd service: Wait till the network got setup to avoid
  startup failure.
- Update to version 2.0.19 (CVE-2024-3935 boo#1232635, CVE-2024-10525 boo#1232636):

</description>
</patchinfo>