CVE-2021-34434 details.

ChangeLog.txt

@@ -14,7 +14,7 @@ Security:
   remotely accessible listener to be opened that was not confined to the local
   machine but did have anonymous access enabled, contrary to the
   documentation. This has been fixed. Closes #2283.
-- If a plugin had granted ACL subscription access to a
+- CVE-2021-34434: If a plugin had granted ACL subscription access to a
   durable/non-clean-session client, then removed that access, the client would
   keep its existing subscription. This has been fixed.
 - Incoming QoS 2 messages that had not completed the QoS flow were not being

www/pages/security.md

@@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it.
 Listed with most recent first. Further information on security related issues
 can be found in the [security category].
 
+* August 2021: [CVE-2021-34434] Affecting versions **2.0.0** to **2.0.11**
+  inclusive, fixed in **2.0.12**.
 * April 2021: [CVE-2021-28166] Affecting versions **2.0.0** to **2.0.9**
   inclusive, fixed in **2.0.10**.
 * December 2020: Running mosquitto_passwd with the following arguments only
@@ -69,6 +71,7 @@ can be found in the [security category].
 [Eclipse Security]: https://www.eclipse.org/security/
 [security category]: /blog/categories/security/
 
+[CVE-2021-34434]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434
 [CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
 [CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779
 [CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778