From 06c84aeb666cc3cfacb704d6a4e109718b529dc2 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Mon, 30 Aug 2021 22:06:32 +0100 Subject: [PATCH] CVE-2021-34434 details. --- ChangeLog.txt | 2 +- www/pages/security.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 51157a62..8ec8b65b 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -14,7 +14,7 @@ Security: remotely accessible listener to be opened that was not confined to the local machine but did have anonymous access enabled, contrary to the documentation. This has been fixed. Closes #2283. -- If a plugin had granted ACL subscription access to a +- CVE-2021-34434: If a plugin had granted ACL subscription access to a durable/non-clean-session client, then removed that access, the client would keep its existing subscription. This has been fixed. - Incoming QoS 2 messages that had not completed the QoS flow were not being diff --git a/www/pages/security.md b/www/pages/security.md index 44cd1f7c..657e49ce 100644 --- a/www/pages/security.md +++ b/www/pages/security.md @@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it. Listed with most recent first. Further information on security related issues can be found in the [security category]. +* August 2021: [CVE-2021-34434] Affecting versions **2.0.0** to **2.0.11** + inclusive, fixed in **2.0.12**. * April 2021: [CVE-2021-28166] Affecting versions **2.0.0** to **2.0.9** inclusive, fixed in **2.0.10**. * December 2020: Running mosquitto_passwd with the following arguments only @@ -69,6 +71,7 @@ can be found in the [security category]. [Eclipse Security]: https://www.eclipse.org/security/ [security category]: /blog/categories/security/ +[CVE-2021-34434]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434 [CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166 [CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779 [CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778