XPost: linux.debian.devel.release

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mosquitto@packages.debian.org
Control: affects -1 + src:mosquitto

[ Reason ]

Handling mosquitto update for three remaining CVEs in debian stable

[ Impact ]

No know regressions identified so far.

[ Tests ]

It is passing autopkg tests:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21

Only the (testing) lintian check is failing.


[ Risks ]

Upstream did not review changes or provide feedback

https://github.com/eclipse-mosquitto/mosquitto/issues/2850#issuecomment-2711985017


[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable

[ Changes ]

Please review each commits in branch:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits

For the record here is a copy of logs:

commit 08504471ac798736b7358654ca4b275d846dd381
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Mar 12 01:52:26 2025 +0100

Update changelog for 2.0.11-1.2+deb12u2 release

For the record I have double-checked AH patches
they are cherry-picked from upstream
only ChangeLog changes have been filtered.

I also observed that the package is no more testable
since upstream certificates expired, I removed them
and I tweaked build script to generate them at buildtime,
this way build is future proof.

Make file change is under review upstream side

Tests can be checked on related link,
lintian error can be ignored on this stable update.

Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21

commit 635885033dbce498eb0a59c7b955def3e422399d
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Mar 12 01:44:22 2025 +0100

d/patches: Remove generated ssl certs

commit 25cbde2b89771cadec7dc0937f8530da6b94a27a
Author: Philippe Coval <rzr@users.sf.net>
Date: Tue Mar 11 21:55:31 2025 +0100

debian/tests: Check ssl certs before running tests

Signed-off-by: Philippe Coval <rzr@users.sf.net>

commit 57b3e6d7869d2264529e449ef4d37a9a3d520f62
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Mar 12 01:43:55 2025 +0100

d/patches: t/Makefile: Generate test certs if not present in sources

commit 11d912791b5174a9bf85730c03192cf0165c1fc2
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Mar 12 01:39:41 2025 +0100

d/patches: Fixed issue in CA cert. creation

commit 156053cdcf1fc3b675888c702c6fd2a38e7baef4
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Mar 12 01:39:05 2025 +0100

d/patches: Further fix for CVE-2023-28366.

commit 4071b67300f591a3833e68bda5c0bb5963cc46ca
Author: Andreas Henriksson <andreas@fatal.se>
Date: Thu Feb 20 14:49:43 2025 +0000

debian/patches/0017-Don-t-allow-SUBACK-with-missing-reason-codes.patch

- cherry-pick upstream fix for CVE-2024-10525

Gbp-Dch: Full

commit 80727e7edfe45aeda850cfbaa1c48803094079b3
Author: Andreas Henriksson <andreas@fatal.se>
Date: Thu Feb 20 14:44:36 2025 +0000

d/p/0016-Fix-crash-on-bridge-using-remapped-topic-being-sent-.patch

- cherry-pick upstream fix for CVE-2024-3935

Gbp-Dch: Full

commit 5611a152fa95d80c6fe3d403ffa279a2865ae575
Author: Andreas Henriksson <andreas@fatal.se>
Date: Thu Feb 20 14:41:47 2025 +0000

d/p/0015-Fix-QoS-1-QoS-2-publish-incorrectly-returning-no-sub.patch

- cherry-pick upstream commit fixing regression in CVE-2024-8376 fix

Gbp-Dch: Full

commit 3ff28254e68bb2ff1f5597a591bd7e6b6fb66267
Author: Philippe Coval <rzr@users.sf.net>
Date: Wed Oct 30 20:50:16 2024 +0100

d/p/series: Add patches for CVE-2024-8376

Upstream has been confirmed that
that is the only patch needed to fix CVE-2024-8376 (check related link).

To apply v2.0.18-25-g3bb6c9da patch and mimimize conflicts resolutions,
I have also picked 2 other changes: v2.0.18-25-g3bb6c9da and v2.0.19.

Bug-Debian: https://bugs.debian.org/1084982
Relate-to: https://gitlab.eclipse.org/security/cve-assignement/-/issues/26#note_2848100
Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
Signed-off-by: Philippe Coval <rzr@users.sf.net>

commit 07f03f61440289bb435e127fa68e7892774e0795
Author: Philippe Coval <rzr@users.sf.net>
Date: Mon Mar 10 22:52:29 2025 +0100

Rediff patches

commit eb8fed861039acb7d6009638943cf44f0ea81944
Author: Philippe Coval <rzr@users.sf.net>
Date: Sat Jul 8 10:06:41 2023 +0200

debian/gbp.conf: Build for stable-sec

Using "gbp buildpackage"

debian/gbp.conf: Adjust path for stable
debian/gbp.conf: Adjust path for stable-sec

Origin: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/22
Signed-off-by: Philippe Coval <rzr@users.sf.net>

[ Other info ]

Related context in patches metadata:

debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/pull/3234
debian/patches/0020-t-Makefile-Generate-test-certs-if-not-present-in-sou.patch:Relate-to: https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21
debian/patches/CVE-2021-34434.patch:Bug-Debian: https://bugs.debian.org/993400 debian/patches/CVE-2021-34434.patch:Origin: https://github.com/eclipse/mosquitto/commit/32af599c81e63fa38e834b8f1c1f108c49328e95
debian/patches/CVE-2023-0809.patch:Origin: https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad
debian/patches/CVE-2023-28366.patch:Origin: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
debian/patches/CVE-2023-3592.patch:Origin: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa
debian/patches/CVE-2024-8376-1of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/3bb6c9ad51f712864dea63529e0b55661c2a9e84
debian/patches/CVE-2024-8376-2of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17
debian/patches/CVE-2024-8376-3of3.patch:Origin: https://github.com/eclipse-mosquitto/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Origin: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian: https://bugs.debian.org/1001028
debian/patches/Fix-CONNECT-performance-with-many-user-properties.patch:Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41039
debian/patches/ssl-sslcontext-wrap_socket.patch:Bug-Ubuntu: https://launchpad.net/bugs/1960214
debian/patches/ssl-sslcontext-wrap_socket.patch:Forwarded: https://github.com/eclipse/mosquitto/pull/2451

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

--FAVTSBse32huLrMB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Check attached mosquitto_2.0.11-1.2+deb12u2.debdiff

Generated from local build of this branch:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits


--FAVTSBse32huLrMB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
filename="mosquitto_2.0.11-1.2+deb12u2.debdiff" Content-Transfer-Encoding: quoted-printable

diff -Nru mosquitto-2.0.11/debian/changelog mosquitto-2.0.11/debian/changelog --- mosquitto-2.0.11/debian/changelog 2023-09-30 19:28:09.000000000 +0200
+++ mosquitto-2.0.11/debian/changelog 2025-04-22 21:39:19.000000000 +0200
@@ -1,3 +1,27 @@
+mosquitto (2.0.11-1.2+deb12u2) bookworm; urgency=medium
+
+ [ Philippe Coval ]
+ * debian/gbp.conf: Build for stable-sec
+ * Rediff patches
+ * d/p/series: Add patches for CVE-2024-8376
+
+ [ Andreas Henriksson ]
+ * d/p/0015-Fix-QoS-1-QoS-2-publish-incorrectly-returning-no-sub.patch
+ - cherry-pick upstream commit fixing regression in CVE-2024-8376 fix
+ * d/p/0016-Fix-crash-on-bridge-using-remapped-topic-being-sent-.patch
+ - cherry-pick upstream fix for CVE-2024-3935
+ * debian/patches/0017-Don-t-allow-SUBACK-with-missing-reason-codes.patch
+ - cherry-pick upstream fix for CVE-2024-10525
+
+ [ Philippe Coval ]
+ * d/patches: Further fix for CVE-2023-28366.
+ * d/patches: Fixed issue in CA cert. creation
+ * d/patches: t/Makefile: Generate test certs if not present in sources
+ * debian/tests: Check s

XPost: linux.debian.devel.release

--qS_kQbLh
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi,

Let me share a bit more information,

First let me confirm about:

  [x] the issue is verified as fixed in unstable

Latest upstream version is v2.0.21 and released in unstable and
testing

Regarding content of debdiff, don't be scared by certs removal,

they are obsolete and can't be used for testing.

So have improved build flow to re-generate them on the fly.

That change was forwarded upstream, no negative feedback since:

https://github.com/eclipse-mosquitto/mosquitto/pull/3234

Finally, for the context some attempts to make a debian revision were
started along the security team, but it stalled because CI check were
not passing (which are fixed since) and upstream was not responsive to
review it, time passed up and sec-team proposed me to target a point
release as explained at:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Beside waiting for review, is there anything I can do ?


--qS_kQbLh
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Hi,<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-family: '
Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Let me share a bit more information,<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-family: 'Helvetica Neue',
Helvetica, Arial, sans-serif; font-size: 14px">First let me confirm about:<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><pre class="message"> [x] the issue is verified as fixed in unstable<

</pre><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Latest upstream version is v2.0.21 and released in unstable and testing<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;

font-size: 14px"><br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Regarding content of debdiff, don't be scared by certs removal,<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial,
sans-serif; font-size: 14px">they are obsolete and can't be used for testing.<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">So have improved build flow to re-generate them on the fly.<br></div><div
style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">That change was forwarded upstream, no negative feedback since:<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><a
href="https://github.com/eclipse-mosquitto/mosquitto/pull/3234">https://github.com/eclipse-mosquitto/mosquitto/pull/3234</a><br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-
family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Finally, for the context some attempts to make a debian revision were started along the security team, but it stalled because CI check were not passing (which are fixed since) and
upstream was not responsive to review it, time passed up and sec-team proposed me to target a point release as explained at:<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-
family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><a href="https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions">https://www.debian.org/doc/manuals/
developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions</a><br></div><div><br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px">Beside waiting for review, is there
anything I can do ?<br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div><div style="font-family: '
Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px"><br></div></body></html>
--qS_kQbLh--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Control: tags -1 + confirmed

On Tue, 2025-04-22 at 23:42 +0200, Philippe Coval wrote:

Check attached mosquitto_2.0.11-1.2+deb12u2.debdiff

Generated from local build of this branch:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/21/commits

+ * debian/gbp.conf: Build for stable-sec

This isn't a stable-security upload, so you may want to change that.

Please go ahead.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

--4AFE3t3Rh1M5kJqp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thank for feedback,

I have rebased the changes on the debian/stable/master branch:

https://salsa.debian.org/debian-iot-team/mosquitto/-/merge_requests/31

I have also updated the debdiff with those changes:

diff --git a/debian/changelog b/debian/changelog
index c3ae680f..befb8576 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,9 @@
-mosquitto (2.0.11-1.2+deb12u2) bookworm-security; urgency=high
+mosquitto (2.0.11-1.2+deb12u2) bookworm; urgency=medium

[ Philippe Coval ]
- * debian/gbp.conf: Build for stable-sec
+ * debian/gbp.conf: Build on tag
+ * debian/gbp.conf: Use debian orig import as upstream
+ * debian/gbp.conf: Adjust path for stable
* Rediff patches
* d/p/series: Add patches for CVE-2024-8376

@@ -20,7 +22,7 @@ mosquitto (2.0.11-1.2+deb12u2) bookworm-security; urgency=high
* debian/tests: Check ssl certs before running tests
* d/patches: Remove generated ssl certs

- -- Philippe Coval <rzr@users.sf.net> Wed, 12 Mar 2025 01:52:26 +0100
+ -- Philippe Coval <rzr@users.sf.net> Sun, 11 May 2025 21:31:01 +0200

mosquitto (2.0.11-1.2+deb12u1) bookworm-security; urgency=high

diff --git a/debian/gbp.conf b/debian/gbp.conf
index 3d70443f..cead8ced 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAU

XPost: linux.debian.devel.release

Hi,

Couple of days ago I uploaded a package with changes based on Adam's feedback:

Successfully uploaded mosquitto_2.0.11-1.2+deb12u2.dsc to ftp.upload.debian.org for ftp-master.
Successfully uploaded mosquitto_2.0.11-1.2+deb12u2.debian.tar.xz to ftp.upload.debian.org for ftp-master.
Successfully uploaded mosquitto_2.0.11-1.2+deb12u2_amd64.buildinfo to ftp.upload.debian.org for ftp-master.
Successfully uploaded mosquitto_2.0.11-1.2+deb12u2_source.changes to ftp.upload.debian.org for ftp-master.

For the record i built it on bookworm (using gbp buildpackage --git-pbuilder ...)

Now according to the process page:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

I expect it is in proposed-updates-new queue ? (is this public?),
can it land in stable (12.11) 2025-05-17 ?
or is it too late (I see freeze dates 2025-05-15 in https://release.debian.org/)

Regards

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEzLaD1ajJapdI9mchDqao3+v/mngFAmgkPT4ACgkQDqao3+v/ mnh9XA//bwO/fOXshDLMd2ER3clohySXgL/Od1jI7qG7saJsjgIWT8XO6Iwf8mYe nNH43LO3ke9YmfUJnoq04XM1NPnHhvLRh6TG/IpjBnVtE3z/WqUvSEhAmqTSgE/B i7ETpZ7Lsdd90atccjNpxkZjcwHe8DX1JjgLD1TrdUlAH7UecKDRTBLkcdgnuKzG 4nBJn8prRnCfat86ueU6DnONOytBlwxPWe9UIjaNa2F/7SbnO1HAiR1ag2vqx81i 1CcKfgnXxa6ksY1TBAs8XdlAJhtaDNIerAyfWKthmPoo3evkc5ySIuSpMfAe3ybS m2lHyUrfKsEBfPASIFeb2POJDrw6JDmj3elga2qTeuLLFRzT/oof8P8B24DB/b4C +CnWanYdC8nTnAulVPnsw+cqd0+KhOPziJhYESzcsKo3F5FLhRy0qyia+xjZixkm lzGJlxWqlKluH3dj/DMaytbqRJeM87MfxRQXEk9vpF8N/uOq9duIxMmaN9SU5l7+ LZX+Fn2AmaWyvdGfDrqt6GhKTDJSln3YeT0Wno0+PaTiCumXBX4Fr+FImb2xdS1B ywNbIo2MtuW6uYSZlRyYAdcARL0TzptCoI7Cv3W/DKjRdUaDnzwxoRKlBq/CZPS1 SBO6+lKwqN+/f5094s44/mq0/JjnayMPFVmPqneX4UPJYpWfn+0=
=weRQ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Wed, 2025-05-14 at 08:50 +0200, Philippe Coval wrote:

Couple of days ago I uploaded a package with changes based on Adam's feedback:

Successfully uploaded mosquitto_2.0.11-1.2+deb12u2.dsc to ftp.upload.debian.org for ftp-master.

[...]

Now according to the process page:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

I expect it is in proposed-updates-new queue ? (is this public?),

It would be, yes. You can see uploads in stable-new as the "Resolution
pending" section on
https://release.debian.org/proposed-updates/stable.html

can it land in   stable (12.11) 2025-05-17 ?
or is it too late (I see freeze dates 2025-05-15 in https://release.debian.org/)

The relevant date was the 11th, as mentioned in the 12.11 announcement
linked from https://release.debian.org/

However, in this case your upload hasn't even got that far, because
your key in the DM keyring has expired:

pub rsa4096 2020-07-25 [SC] [expired: 2025-04-28]
CCB683D5A8C96A9748F667210EA6A8DFEBFF9A78


Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)