Commit 963c342
authored
![renovate-sh-app[bot]](https://avatars.githubusercontent.com/u/7195757?v=4&size=40){kind=avatar}
fix(deps): update module github.com/eclipse/paho.mqtt.golang to v1.5.1 [security] (#162)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/eclipse/paho.mqtt.golang](https://redirect.github.com/eclipse/paho.mqtt.golang)
| `v1.5.0` -> `v1.5.1` |
|
|
### GitHub Vulnerability Alerts
#### [CVE-2025-10543](https://nvd.nist.gov/vuln/detail/CVE-2025-10543)
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0
UTF-8 encoded strings, passed into the library, may be incorrectly
encoded if their length exceeds 65535 bytes. This may lead to unexpected
content in packets sent to the server (for example, part of an MQTT
topic may leak into the message body in a PUBLISH packet).
The issue arises because the length of the data passed in was converted
from an int64/int32 (depending upon CPU) to an int16 without checks for
overflows. The int16 length was then written, followed by the data (e.g.
topic). This meant that when the data (e.g. topic) was over 65535 bytes
then the amount of data written exceeds what the length field indicates.
This could lead to a corrupt packet, or mean that the excess data leaks
into another field (e.g. topic leaks into message body).
---
### Eclipse Paho Go MQTT may incorrectly encode strings if length
exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang
[CVE-2025-10543](https://nvd.nist.gov/vuln/detail/CVE-2025-10543) /
[GHSA-32fw-gq77-f2f2](https://redirect.github.com/advisories/GHSA-32fw-gq77-f2f2)
/ [GO-2025-4173](https://pkg.go.dev/vuln/GO-2025-4173)
<details>
<summary>More information</summary>
#### Details
Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds
65535 bytes in github.com/eclipse/paho.mqtt.golang
#### Severity
Unknown
#### References
-
[https://github.com/advisories/GHSA-32fw-gq77-f2f2](https://redirect.github.com/advisories/GHSA-32fw-gq77-f2f2)
-
[https://github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731](https://redirect.github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731)
-
[https://github.com/eclipse-paho/paho.mqtt.golang/issues/730](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/issues/730)
-
[https://github.com/eclipse-paho/paho.mqtt.golang/pull/714](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/714)
-
[https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254)
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2025-4173) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>
---
### Eclipse Paho Go MQTT may incorrectly encode strings if length
exceeds 65535 bytes
[CVE-2025-10543](https://nvd.nist.gov/vuln/detail/CVE-2025-10543) /
[GHSA-32fw-gq77-f2f2](https://redirect.github.com/advisories/GHSA-32fw-gq77-f2f2)
/ [GO-2025-4173](https://pkg.go.dev/vuln/GO-2025-4173)
<details>
<summary>More information</summary>
#### Details
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0
UTF-8 encoded strings, passed into the library, may be incorrectly
encoded if their length exceeds 65535 bytes. This may lead to unexpected
content in packets sent to the server (for example, part of an MQTT
topic may leak into the message body in a PUBLISH packet).
The issue arises because the length of the data passed in was converted
from an int64/int32 (depending upon CPU) to an int16 without checks for
overflows. The int16 length was then written, followed by the data (e.g.
topic). This meant that when the data (e.g. topic) was over 65535 bytes
then the amount of data written exceeds what the length field indicates.
This could lead to a corrupt packet, or mean that the excess data leaks
into another field (e.g. topic leaks into message body).
#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-10543](https://nvd.nist.gov/vuln/detail/CVE-2025-10543)
-
[https://github.com/eclipse-paho/paho.mqtt.golang/issues/730](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/issues/730)
-
[https://github.com/eclipse-paho/paho.mqtt.golang/pull/714](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/714)
-
[https://github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731](https://redirect.github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731)
-
[https://github.com/advisories/GHSA-32fw-gq77-f2f2](https://redirect.github.com/advisories/GHSA-32fw-gq77-f2f2)
-
[https://github.com/eclipse-paho/paho.mqtt.golang](https://redirect.github.com/eclipse-paho/paho.mqtt.golang)
-
[https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-32fw-gq77-f2f2) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>eclipse/paho.mqtt.golang
(github.com/eclipse/paho.mqtt.golang)</summary>
###
[`v1.5.1`](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/releases/tag/v1.5.1)
[Compare
Source](https://redirect.github.com/eclipse/paho.mqtt.golang/compare/v1.5.0...v1.5.1)
This is a minor release incorporating changes made in the 14 months
since v1.5.0 (including updating dependencies, and raising the Go
version to 1.24). The changes are relatively minor but address a
potential security issue, possible panic, enable users to better monitor
the connection status, and incorporate a few optimisations.
Thanks to those who have provided fixes/enhancements included in this
release!
Special thanks to Paul Gerste at [Sonar](https://www.sonarsource.com/)
for reporting issue
[#​730](https://redirect.github.com/eclipse/paho.mqtt.golang/issues/730)
via the Eclipse security team (fix was implemented in PR
[#​714](https://redirect.github.com/eclipse/paho.mqtt.golang/issues/714)
in May, github issue created just prior to this release). This issue
arose where a topic > 65535 bytes was passed to the `Publish` function,
due to the way the data was encoded the topic could leak into the
message body. Please see issue
[#​730](https://redirect.github.com/eclipse/paho.mqtt.golang/issues/730)
for further details.
#### What's Changed
- Updating go dependencies from pub and sub into the containers before
building by
[@​JefJrFigueiredo](https://redirect.github.com/JefJrFigueiredo)
in
[eclipse-paho#691](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/691)
- Optimize TCP connection logic by
[@​geekeryy](https://redirect.github.com/geekeryy) in
[eclipse-paho#713](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/713)
- Fields over 65535 bytes not encoded correctly by
[@​MattBrittan](https://redirect.github.com/MattBrittan) in
[eclipse-paho#714](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/714)
- Reduce slice allocations in route dispatch by
[@​alespour](https://redirect.github.com/alespour) in
[eclipse-paho#710](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/710)
- Add a ConnectionNotificationHandler by
[@​RangelReale](https://redirect.github.com/RangelReale) in
[eclipse-paho#727](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/727)
- Potential panic when using manual ACK by
[@​MattBrittan](https://redirect.github.com/MattBrittan) in
[eclipse-paho#729](https://redirect.github.com/eclipse-paho/paho.mqtt.golang/pull/729)
**Full Changelog**:
<eclipse-paho/paho.mqtt.golang@v1.5.0...v1.5.1>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
## Need help?
You can ask for more help in the following Slack channel:
#proj-renovate-self-hosted. In that channel you can also find ADR and
FAQ docs in the Resources section.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4yNS4zIiwidXBkYXRlZEluVmVyIjoiNDIuMzUuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5OlVOS05PV04iXX0=-->
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>1 parent 0eb4ff0 commit 963c342
2 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
28 | | - | |
| 27 | + | |
| 28 | + | |
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
| |||
0 commit comments