Eclipse Mosquitto™ 2.0.10


- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a

  malformed CONNACK message to the broker a NULL pointer dereference occurred,

  most likely resulting in a segfault. This will be updated with the CVE

  number when it is assigned.

  Affects versions 2.0.0 to 2.0.9 inclusive.


- Don't over write new receive-maximum if a v5 client connects and takes over

  an old session. Closes #2134.

- Fix CVE-2021-28166. Closes #2163.


- Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub

  and mosquitto_rr, to avoid potentially lost messages. Closes #2134.

- Fix TLS-PSK mode not working with port 8883. Closes #2152.

Client library:

- Fix possible socket leak. This would occur if a client was using

  `mosquitto_loop_start()`, then if the connection failed due to the remote

  server being inaccessible they called `mosquitto_loop_stop(, true)` and

  recreated the mosquitto object.


- A variety of minor build related fixes, like functions not having previous


- Fix CMake cross compile builds not finding opensslconf.h. Closes #2160.

- Fix build on Solaris non-sparc. Closes #2136.

Release Date
Release Type
Service release (bug fixes only)