Release Notes for Solace PubSub+ Event Broker, Version 10.12.0.144
April 2025
Release 10.12.0 Lifecycle
Solace PubSub+ Event Broker, Version 10.12.0 is a Preview Release and will be superseded by release 10.25.0. The support duration for releases can be found at https://solace.com/support .
New Features Introduced in Release 10.12
This section lists the new features in the Solace PubSub+ Event Broker, Release 10.12.
| Name | Description | Introduced in Version |
|---|---|---|
| mTLS for Token Grant for Manager Login (OAuth) | When a user logs into the PubSub+ Manager using OAuth, the broker can now be configured to use a client certificate as a credential when connecting to the token endpoint of the authorization server, as described in RFC8705. This eliminates the need for basic authentication between the broker and the authorization server. | 10.12.0.144 |
| Ability to Configure a Zero Retry List for REST Consumers Based on HTTP Error Response Codes | This feature provides the ability to zero retry rejection lists with specific 4xx and 5xx HTTP codes. If the Event Broker receives a matching response, it won't retry delivery and the message is discarded or sent to the DMQ, if configured. | 10.12.0.144 |
| Improved Visibility of the Cluster State for an Event Mesh | This feature provides visibility of the cluster synchronization (cluster-sync) state in the show cluster state command. During HA failovers, cluster synchronization allows newly restarted event brokers to learn remote subscription needs before resuming local service. | 10.12.0.144 |
| Exclusive DTE with Bind Count > 1 | Exclusive DTEs will now allow more than a single flow to be bound. All messages will be sent to the first flow to bind. If the first flow is unbound, then the second flow will begin to receive messages. The existing configuration of max-bind-count for exclusive DTEs will become functional (currently all possible values are treated as 1). This feature will more closely align the behavior of exclusive DTEs with exclusive queues. | 10.12.0.144 |
| Visual Improvements in the Pubsub+ Broker Manager's Learning Center | This feature provided visual improvements to the Pubsub+ Broker Manager's Learning Center in the API and Manage your Broker Sections. | 10.12.0.144 |
| New Content for Getting Started with the Basics in the Pubsub+ Broker Manager Learning Center | This feature provides the ability to access the Solace Topic Explorer from the Pubsub+ Broker Manager's Learning Center. | 10.12.0.144 |
Issues Resolved in Release 10.12
This section lists the resolved issues in the Solace PubSub+ Event Broker, Release 10.12.
| Reference Number | Description | Resolved in Version |
|---|---|---|
| SOL-105222 | A rare race condition can occur when severe disk latency affects the underlying infrastructure while the broker is starting up the guaranteed messaging service. This may cause slow assured delivery startup and impact replay and other persistent endpoints in systems that use message promotion. Workaround: Restart the broker when disk performance has stabilized. | 10.12.0.144 |
| SOL-123894 | SEMP requests with the command "show smrp subscriptions" could cause system instability when executed during periods of high subscription activity, potentially leading to service interruptions. | 10.12.0.144 |
| SOL-125072 | Occasionally, a race condition during software broker redundancy synchronization might overwrite more recent data with older data causing data corruption on the standby broker. | 10.12.0.144 |
| SOL-129641 | Deleting a partitioned queue could cause the partitions in an unrelated partitioned queue to become not ready. Workaround: Consume or delete all the messages from the affected partitioned queue, set the partition count to 0, then set it back to its original value. | 10.12.0.144 |
| SOL-132721 | The "show hardware [details]" and "show interface [<phy-interface>] [detail]" commands may cause operational disruptions when executed during high traffic periods. These disruptions can include Network Acceleration Blade (NAB) interfaces flapping down and up, links being removed from and added back to LAGs, and in rare circumstances, broker reboots. Workaround: Disable monitoring tools that execute "show hardware [details]" and "show interface [<phy-interface>] [detail]" commands. | 10.12.0.144 |
| SOL-133695 | Queue subscriptions may be lost after a message-spool reset, requiring manual reconfiguration after the reset operation. | 10.12.0.144 |
| SOL-134090 | Upgrading appliances to version 10.10.1 or later could experience extended completion times before finishing successfully. | 10.12.0.144 |
| SOL-134216 | Dynamic Message Routing (DMR) cluster subscription synchronization may become stuck after a broker reboot when an external link is configured and enabled without a corresponding valid DMR bridge. The valid DMR bridge must be correctly configured with the appropriate remote Message VPN. | 10.12.0.144 |
| SOL-134642 | Config-sync may fail to sync when configuring replication in environments with both Disaster Recovery (DR) and Dynamic Message Routing (DMR) configured with a mix of DR-enabled and DR-disabled VPNs. | 10.12.0.144 |
| SOL-134724 | For Solace appliances, modifying the guaranteed message cache usage limit under the message spool, or disabling or enabling the message spool, can lead to system instability and unexpected system restarts in some cases. This issue is more likely to occur during periods of high guaranteed messaging load. | 10.12.0.144 |
Changed Functionality in Release 10.12
This section lists the changed functionality in the Solace PubSub+ Event Broker, Release 10.12.
| Reference Number | Description | Introduced in Version |
|---|---|---|
| SOL-133877 | SEMP responses for "show cluster <cluster-name-pattern>" may be invalid if the response contains multiple Dynamic Message Routing (DMR) topology issues. | 10.12.0.144 |
| SOL-121176 | Exclusive topic endpoints configured with a max-bind-count greater than 1 will now use that configuration rather than operationally limiting the bind count to 1. If applications operationally require this limit, ensure all exclusive topic endpoints are configured with the default value of 1 before upgrading. If choosing to use this functionality within replication (DR) clusters, ensure that both sides are upgraded before starting to use this feature. The {{operational-max-bind-count}} SEMPv1 response attribute and the {{maxEffectiveBindCount}} SEMPv2 monitoring API topic endpoint attributes have been deprecated. The configured value should be used instead when it is known the broker software has this new functionality. | 10.12.0.144 |
Vulnerabilities Addressed in Release 10.12
The following vulnerabilities have been resolved in the Solace PubSub+ Event Broker, Release 10.12.
| Resolved in Version | Severity (CVSS v3 Score) | CVE Number | Solace Reference Number | Affected Products | Affected Releases | Description |
|---|---|---|---|---|---|---|
| 10.12.0.144 | CVSS v3: 9.1 (CRITICAL) | SOL-135507 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. | All | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| 10.12.0.144 | CVSS v3: 8.1 (HIGH) | SOL-135190 | PubSub+ Event Broker Appliance. | All | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134323 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134323 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134321 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. PubSub+ Event Broker Appliance. | All | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134321 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. PubSub+ Event Broker Appliance. | All | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134864 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134864 SOL-134865 | PubSub+ Event Broker Appliance. PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. | All | numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd. | |
| 10.12.0.144 | CVSS v3: 7.8 (HIGH) | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. | |
| 10.12.0.144 | CVSS v3: 7.6 (HIGH) | SOL-134864 | PubSub+ Event Broker Appliance. | All | A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections. | |
| 10.12.0.144 | CVSS v3: 7.5 (HIGH) | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. | |
| 10.12.0.144 | CVSS v3: 7.5 (HIGH) | SOL-135223 | PubSub+ Event Broker Appliance. PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. | All | A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. | |
| 10.12.0.144 | CVSS v3: 7.3 (HIGH) | SOL-132598 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. PubSub+ Event Broker Appliance. | All | When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. | |
| 10.12.0.144 | CVSS v3: 5.5 (MEDIUM) | SOL-134323 SOL-134869 | PubSub+ Event Broker Appliance. PubSub+ Event Broker AWS AMI Software Broker. | All | In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. | |
| 10.12.0.144 | CVSS v3: 5.5 (MEDIUM) | SOL-134323 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: mm: fix NULL pointer dereference in alloc_pages_bulk_noprof We triggered a NULL pointer dereference for ac.preferred_zoneref->zone in alloc_pages_bulk_noprof() when the task is migrated between cpusets. When cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be ¤t->mems_allowed. when first_zones_zonelist() is called to find preferred_zoneref, the ac->nodemask may be modified concurrently if the task is migrated between different cpusets. Assuming we have 2 NUMA Node, when traversing Node1 in ac->zonelist, the nodemask is 2, and when traversing Node2 in ac->zonelist, the nodemask is 1. As a result, the ac->preferred_zoneref points to NULL zone. In alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a allowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading to NULL pointer dereference. __alloc_pages_noprof() fixes this issue by checking NULL pointer in commit ea57485af8f4 ("mm, page_alloc: fix check for NULL preferred_zone") and commit df76cee6bbeb ("mm, page_alloc: remove redundant checks from alloc fastpath"). To fix it, check NULL pointer for preferred_zoneref->zone. | |
| 10.12.0.144 | CVSS v3: 5.5 (MEDIUM) | SOL-135326 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: md: fix deadlock between mddev_suspend and flush bio Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue. T1. the first flush is at the ending stage, it clears 'mddev->flush_bio' and tries to submit data, but is blocked because mddev is suspended by T4. T2. the second flush sets 'mddev->flush_bio', and attempts to queue md_submit_flush_data(), which is already running (T1) and won't execute again if on the same CPU as T1. T3. the third flush inc active_io and tries to flush, but is blocked because 'mddev->flush_bio' is not NULL (set by T2). T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3. T1 T2 T3 T4 (flush 1) (flush 2) (third 3) (suspend) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request . mddev->flush_bio = bio . queue submit_flushes . . . . md_handle_request . . active_io + 1 . . md_flush_request . . wait !mddev->flush_bio . . . . mddev_suspend . . wait !active_io . . . submit_flushes . queue_work md_submit_flush_data . //md_submit_flush_data is already running (T1) . md_handle_request wait resume The root issue is non-atomic inc/dec of active_io during flush process. active_io is dec before md_submit_flush_data is queued, and inc soon after md_submit_flush_data() run. md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 If active_io is dec after md_handle_request() instead of within submit_flushes(), make_request() can be called directly intead of md_handle_request() in md_submit_flush_data(), and active_io will only inc and dec once in the whole flush process. Deadlock will be fixed. Additionally, the only difference between fixing the issue and before is that there is no return error handling of make_request(). But after previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape)". Since dm always splits data and flush operation into two separate io, io size of flush submitted by dm always is 0, make_request() will not be called in md_submit_flush_data(). To prevent future modifications from introducing issues, add WARN_ON to ensure make_request() no error is returned in this context. | |
| 10.12.0.144 | CVSS v3: 5 (MEDIUM) | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | A vulnerability, which was classified as problematic, was found in GNU Binutils up to 2.43. This affects the function disassemble_bytes of the file binutils/objdump.c. The manipulation of the argument buf leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. The identifier of the patch is baac6c221e9d69335bf41366a1c7d87d8ab2f893. It is recommended to upgrade the affected component. | |
| 10.12.0.144 | CVSS v3: 4.6 (MEDIUM) | SOL-135344 | PubSub+ Event Broker AWS AMI Software Broker. | All | containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. | |
| 10.12.0.144 | CVSS v3: 4.4 (MEDIUM) | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> | |
| 10.12.0.144 | CVSS v3: 3.4 (LOW) | SOL-132598 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. PubSub+ Event Broker Appliance. | All | When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. | |
| 10.12.0.144 | CVSS v3: () | SOL-131910 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover. | |
| 10.12.0.144 | CVSS v3: () | SOL-132598 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. PubSub+ Event Broker Appliance. | All | libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. | |
| 10.12.0.144 | CVSS v3: () | SOL-133604 | PubSub+ Event Broker Container. PubSub+ Event Broker Cloud. | All | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters. | |
| 10.12.0.144 | CVSS v3: () | SOL-134323 | PubSub+ Event Broker Appliance. | All | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. | |
| 10.12.0.144 | CVSS v3: () | SOL-134323 | PubSub+ Event Broker Appliance. | All | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |
| 10.12.0.144 | CVSS v3: () | SOL-134869 | PubSub+ Event Broker AWS AMI Software Broker. | All | In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable. | |
| 10.12.0.144 | CVSS v3: () | SOL-135344 | PubSub+ Event Broker AWS AMI Software Broker. | All | Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. |
This product uses the NVD API but is not endorsed or certified by the NVD.
Known Issues in Release 10.12
This section describes known issues in the Solace PubSub+ Event Broker, Release 10.12.
| Reference Number | Description |
|---|---|
| SOL-27189 | The broker may disconnect slow subscribers when its NAB Buffer Load Factor exceeds 85%, before the expected 100% level at which slow subscribers are typically disconnected. |
| SOL-27822 | The rate at which a broker can accept connections may be lower than expected when using LDAP authorization. |
| SOL-48714 | When the message spool disk is full for HA software brokers, message spool defragmentation will fail, as expected, but with the incorrect error message. |
| SOL-108806 | When performing an HA broker upscale, redundancy will not recover if the primary and backup are upscaled back to back immediately with no delay. Workaround: Add a delay of 60 seconds between upscaling the primary and backup broker after step 7 of the upscale procedure (https://docs.solace.com/Software-Broker/Set-Scaling-Params-HA.htm#Step_2__Increase_the_Value_of_the_Scaling_Parameter(s)). |
| SOL-5782 | SolOS will fail to start up if an invalid SSL certificate is configured via config-keys. |
| SOL-4182 | The PubSub+ Software Event Broker needs larger TCP rmem/wmem settings to support multi-node routing neighbors across high RTT WAN links.
Original bug: Bug 63008 |
| SOL-42779 | The PubSub+ Software Event Broker erroneously allows more user-created message-VPNs than are officially supported within the broker. This applies to all editions (Enterprise, Standard, and Evaluation). In a future release, this limit will be strictly enforced. |
| SOL-46501 | If the backup appliance in an active-active HA configuration is restarted while the message spool is disabled, re-enabling the message-spool will fail if one or more replay logs exist in the setup. This issue applies to Solace PubSub+ appliances only.
Workaround: Set the active-standby redundancy role of the backup appliance to 'backup' prior to the restart. After the restart, set the active-standby role back to 'none'. |
| SOL-88602 | WebUI login passwords can only accept the printable ASCII character set. Extended characters like auoAUOss do not work. |