Ubuntu
mosquitto package

Change log for mosquitto package in Ubuntu

175 of 92 results FirstPreviousLast
Published in oracular-release
Published in noble-release
Deleted in noble-proposed (Reason: Moved to noble) 
mosquitto (2.0.18-1build3) noble; urgency=medium

  * No-change rebuild against libssl3t64.

 -- Colin Watson <email address hidden>  Mon, 15 Apr 2024 19:26:23 +0100

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble) 
mosquitto (2.0.18-1build2) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 02:36:24 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble) 
mosquitto (2.0.18-1build1) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <email address hidden>  Mon, 04 Mar 2024 20:02:11 +0000
Published in lunar-updates
Published in lunar-security 
mosquitto (2.0.11-1.2ubuntu0.1) lunar-security; urgency=medium

  * SECURITY UPDATE: Authorization bypass
    - debian/patches/CVE-2021-34434.patch: Fix $share subscriptions not
      being recovered for durable clients
    - CVE-2021-34434
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2023-0809.patch: Fix excessive memory usage.
    - debian/patches/CVE-2023-3592.patch: Fix memory leak when clients
      send v5 CONNECT packets.
    - debian/patches/CVE-2023-28366-1.patch: Fix memory leak in broker
    - debian/patches/CVE-2023-28366-2.patch: Fix regression
    - CVE-2023-0809
    - CVE-2023-3592
    - CVE-2023-28366

 -- Giampaolo Fresi Roglia <email address hidden>  Sun, 19 Nov 2023 20:22:15 +0100
Published in jammy-updates
Published in jammy-security 
mosquitto (2.0.11-1ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Authorization bypass
    - debian/patches/CVE-2021-34434.patch: Fix $share subscriptions not
      being recovered for durable clients
    - CVE-2021-34434
  * SECURITY UPDATE: Denial of Service
   -  debian/patches/CVE-2021-41039.patch: Fix CONNECT performance
    - debian/patches/CVE-2023-0809.patch: Fix excessive memory usage.
    - debian/patches/CVE-2023-3592.patch: Fix memory leak when clients
      send v5 CONNECT packets.
    - debian/patches/CVE-2023-28366-1.patch: Fix memory leak in broker
    - debian/patches/CVE-2023-28366-2.patch: Fix regression
    - CVE-2021-41039
    - CVE-2023-0809
    - CVE-2023-3592
    - CVE-2023-28366

 -- Giampaolo Fresi Roglia <email address hidden>  Sun, 19 Nov 2023 19:09:47 +0100
Deleted in noble-updates (Reason: superseded by release)
Superseded in noble-release
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
mosquitto (2.0.18-1) unstable; urgency=medium

  * New upstream release
  * debian/patches: Refresh patches

 -- Philippe Coval <email address hidden>  Mon, 25 Sep 2023 15:41:05 +0200

Available diffs

Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
mosquitto (2.0.17-3) unstable; urgency=medium

  * Also support protocol 5.0
  * cherry-pick 3 upstream crash fixes part of 2.0.18
    - debian/patches/f09ea91e11f243abdad343da9eedb614d53ac5a1.patch:
    - debian/patches/66c62767354f986cad928779027eb7d5182c77c8.patch:
    - debian/patches/7ae22c356be5c567503357917fca818c4d076c5a.patch:

 -- Gianfranco Costamagna <email address hidden>  Wed, 13 Sep 2023 19:17:46 +0200

Available diffs

Superseded in mantic-proposed 
mosquitto (2.0.17-1) unstable; urgency=medium

  [ Philippe Coval ]
  * New upstream release
    - Fix for CVE-2023-28366, CVE-2023-0809, CVE-2023-3592
  * debian/patches: Remove debian-config.patch
  * debian/patches/missing-test.patch: Drop failed tests
  * debian/mosquitto.lintian-overrides: Refresh lintian report
  * debian/tests/control: Add python3-psutil for broker

  [ Joachim Zobel ]
  * applied patch for #993048 from Ethan Trevor <email address hidden>
    (Closes: #993048)
  * Fixed shared linkage of libwebsockets

  [ Gianfranco Costamagna ]
  * Comment out pid_file as per #993048
  * Refresh patches
  * Fix watch file

 -- Gianfranco Costamagna <email address hidden>  Wed, 13 Sep 2023 10:00:46 +0200

Available diffs

Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
mosquitto (2.0.15-2) unstable; urgency=medium

  [ Philippe Coval ]
  * debian/tests/control: Fix tests
  * debian/patches: Refresh missing-test.patch bypass 06 test

  [ Gianfranco Costamagna ]
  * Add manpages to clean target, they are autogenerated

 -- Gianfranco Costamagna <email address hidden>  Fri, 21 Jul 2023 11:17:58 +0200
Superseded in mantic-proposed 
mosquitto (2.0.15-2~build1) mantic; urgency=medium

  [ Philippe Coval ]
  * debian/tests/control: Fix tests
  * debian/patches: Refresh missing-test.patch bypass 06 test

  [ Gianfranco Costamagna ]
  * Add manpages to clean target, they are autogenerated

 -- Gianfranco Costamagna <email address hidden>  Fri, 21 Jul 2023 11:17:58 +0200

Available diffs

Superseded in mantic-proposed 
mosquitto (2.0.15-1ubuntu2) mantic; urgency=medium

  * Tweak patch with debian approach

 -- Gianfranco Costamagna <email address hidden>  Thu, 20 Jul 2023 23:51:13 +0200
Superseded in mantic-proposed 
mosquitto (2.0.15-1ubuntu1) mantic; urgency=medium

  * Runtime depend on libssl-dev for library, needed to build (and fix autopkgtests)
  * Disable again failing autopkgtests and refresh patches

 -- Gianfranco Costamagna <email address hidden>  Thu, 20 Jul 2023 17:01:50 +0200
Superseded in mantic-proposed 
mosquitto (2.0.15-1~build1) mantic; urgency=medium

  [ Philippe Coval ]
  * New upstream release (Closes: #993400)
  * debian/patches: Drop Fix-CONNECT...patch
  * debian/patches: Drop ssl-sslcontext-wrap_socket.patch
  * debian/patches: Refresh 1571.patch
  * debian/patches: Refresh deb-test.patch
  * debian/control: Transfer maintenance to team
  * debian/gbp.conf: Build on tag
  * debian/watch: Fix Lintian by scanning from git
  * debian/control: Bump standards
  * debian/control: Add Rules-Requires-Root Field
  * debian/mosquitto.lintian-overrides: Ignore lws spelling
  * debian/mosquitto.lintian-overrides: Ignore upstream spelling
  * debian/control: Fix lintian d-on-obsolete-package : lsb to sysV
  * d/mosquitto.lintian-overrides: Hide h-in-library-directory-missing-soname
  * d/libmosquittopp1.lintian-overrides: Silent library-not-linked-against-libc
  * debian/control: Add missing Pre-depends for systemd
  * debian/rules: Add hardening flags
  * debian/mosquitto.lintian-overrides: Relocate groff-message warning
  * debian/libmosquitto*.symbols: Fix Lintian symbols-file-m-b-d-p-field
  * debian/rules: Fix lintian debug-symbol-migration-possibly-complete
  * debian/mosquitto.triggers: Remove ldconfig step
  * debian/control: Fix cme lint libssl-dev dep
  * debian/control: Fix cme lint Multi-Arch

  [ наб ]
  * debian/mosquitto.postrm: Purge user (Closes: #1032200)

  [ Gianfranco Costamagna ]
  * upload to sid

 -- Gianfranco Costamagna <email address hidden>  Thu, 20 Jul 2023 12:10:52 +0200
Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
mosquitto (2.0.11-1.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix CONNECT performance with many user-properties (CVE-2021-41039)
    (Closes: #1001028)
  * debian/tests/broker: Make all test python scripts executable

 -- Salvatore Bonaccorso <email address hidden>  Thu, 29 Dec 2022 13:38:30 +0100
Superseded in lunar-release
Obsolete in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic) 
mosquitto (2.0.11-1.1build1) kinetic; urgency=medium

  * No-change rebuild against libwebsockets17

 -- Steve Langasek <email address hidden>  Sat, 20 Aug 2022 18:03:52 +0000
Superseded in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic) 
mosquitto (2.0.11-1.1) unstable; urgency=medium

  * Non-maintainer upload

  [ Olivier Gayot ]
  * Fix autopkgtest failure when running against Python 3.10 (Closes:
    #1009096) (LP: #1960214)

 -- Sebastian Ramacher <email address hidden>  Sat, 16 Apr 2022 17:17:54 +0200
Superseded in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy) 
mosquitto (2.0.11-1ubuntu1) jammy; urgency=medium

  * Fix autopkgtest failure when running against Python 3.10 (LP: #1960214)

 -- Olivier Gayot <email address hidden>  Mon, 07 Feb 2022 11:08:48 +0100
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy) 
mosquitto (2.0.11-1build1) jammy; urgency=medium

  * No-change rebuild against openssl3

 -- Simon Chopin <email address hidden>  Fri, 03 Dec 2021 12:15:16 +0100
Superseded in jammy-release
Obsolete in impish-release
Deleted in impish-proposed (Reason: Moved to impish) 
mosquitto (2.0.11-1) unstable; urgency=medium

  * SECURITY UPDATE: In Eclipse Mosquitto 1.6 to 2.0.10, if an authenticated
    client that had connected with MQTT v5 sent a crafted CONNECT message to
    the broker, a memory leak would occur.
  * New upstream release.
  * Removed systemd-run.patch, applied upstream.
  * Removed signed-unsigned.patch, applied upstream.
  * missing-test.patch: Fix missing upstream test.
  * Update copyright years and paths

 -- Roger A. Light <email address hidden>  Wed, 09 Jun 2021 13:54:36 +0100

Available diffs

Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish) 
mosquitto (2.0.10-6) unstable; urgency=medium

  * Don't chown /run/mosquitto in mosquitto.postinst, this is done in the
    systemd unit file at run time. (closes: #983429).
  * systemd-run.patch: use /run/mosquitto instead of /var/run/mosquitto in
    systemd unit file.

 -- Roger A. Light <email address hidden>  Mon, 26 Apr 2021 22:07:57 +0100

Available diffs

Superseded in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
Deleted in impish-release (Reason: Moved to impish-proposed)
Deleted in impish-proposed (Reason: Moved to impish)
Deleted in hirsute-proposed (Reason: moved to impish-proposed) 
mosquitto (2.0.10-4) unstable; urgency=medium

  * Fix autopkgtest test build dependencies.

 -- Roger A. Light <email address hidden>  Wed, 21 Apr 2021 12:10:45 +0100

Available diffs

Superseded in impish-release
Superseded in impish-release
Obsolete in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
mosquitto (2.0.10-3) unstable; urgency=medium

  * signed-unsigned.patch: Fix signed/unsigned conversion warnings.

 -- Roger A. Light <email address hidden>  Mon, 19 Apr 2021 09:41:00 +0100
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
mosquitto (2.0.10-2~build1) hirsute; urgency=medium

  * Upload to hirsute

 -- Gianfranco Costamagna <email address hidden>  Mon, 19 Apr 2021 09:42:12 +0200
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
mosquitto (2.0.10-1) unstable; urgency=high

  * SECURITY UPDATE: In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an
    authenticated client that had connected with MQTT v5 sent a crafted
    CONNACK message to the broker, a NULL pointer dereference would occur.
    (Closes: #986701)
    - CVE-2021-28166
  * New upstream release.

 -- Roger A. Light <email address hidden>  Sat, 10 Apr 2021 00:41:35 +0100
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
mosquitto (2.0.10-1~build1) hirsute; urgency=medium

  * Upload to hirsute

 -- Gianfranco Costamagna <email address hidden>  Sat, 17 Apr 2021 18:09:00 +0200
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
mosquitto (2.0.9-1) unstable; urgency=medium

  * New upstream release.

 -- Roger A. Light <email address hidden>  Thu, 11 Mar 2021 22:53:34 +0000

Available diffs

Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release) 
mosquitto (2.0.8-1) unstable; urgency=medium

  * New upstream release.

 -- Roger A. Light <email address hidden>  Thu, 25 Feb 2021 18:56:57 +0000
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release) 
mosquitto (2.0.7-3build1) hirsute; urgency=medium

  * No change rebuild with fixed ownership.

 -- Dimitri John Ledkov <email address hidden>  Tue, 16 Feb 2021 15:18:01 +0000
Superseded in hirsute-proposed 
mosquitto (2.0.7-3) unstable; urgency=medium

  * Change all paths `/var/run` to `/run` to avoid installing through a
    symlink.

 -- Roger A. Light <email address hidden>  Tue, 09 Feb 2021 09:31:09 +0000

Available diffs

Superseded in hirsute-proposed 
mosquitto (2.0.7-2) unstable; urgency=medium

  * Add new xsltproc and docbook-xsl dependencies needed to build manpages.

 -- Gianfranco Costamagna <email address hidden>  Mon, 08 Feb 2021 21:55:11 +0100
Superseded in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
mosquitto (1.6.12-1) unstable; urgency=medium

  * New upstream release.

 -- Roger A. Light <email address hidden>  Wed, 19 Aug 2020 15:24:26 +0100

Available diffs

  • diff from 1.6.9-1build1 (in Ubuntu) to 1.6.12-1 (pending)
Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
mosquitto (1.6.9-1build1) groovy; urgency=high

  * No change rebuild against libwebsockets16

 -- Balint Reczey <email address hidden>  Thu, 18 Jun 2020 12:36:51 +0200
Superseded in groovy-release
Published in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
mosquitto (1.6.9-1) unstable; urgency=medium

  * New upstream release.
  * Revert change enabling SRV functionality, it is disabled by default
    upstream and of little benefit to any end user, but adds reasonable
    complexity to the code.
  * Remove patches 1568, 1569, 1570 - applied upstream.

 -- Roger A. Light <email address hidden>  Tue, 03 Mar 2020 15:16:15 +0000
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
mosquitto (1.6.9-1~build1) focal; urgency=medium

  * Upload to focal

 -- Gianfranco Costamagna <email address hidden>  Sun, 08 Mar 2020 08:52:23 +0100
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
mosquitto (1.6.8-2) unstable; urgency=medium

  * Also install mqtt_protocol.h in libmosquitto-dev package.
    (Closes: #951116)

 -- Gianfranco Costamagna <email address hidden>  Sat, 15 Feb 2020 19:51:49 +0100

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
mosquitto (1.6.8-1) unstable; urgency=medium

  * Upload to unstable

 -- Gianfranco Costamagna <email address hidden>  Sat, 08 Feb 2020 09:35:50 +0100

Available diffs

Superseded in focal-proposed 
mosquitto (1.6.8-1~exp3) experimental; urgency=medium

  * Tweak patch 1570 to fix a build failure with non-libc libraries

 -- Gianfranco Costamagna <email address hidden>  Sat, 25 Jan 2020 10:47:39 +0100
Superseded in focal-proposed 
mosquitto (1.6.8-1~exp2~build1) focal; urgency=medium

  * Upload to Ubuntu focal

 -- Gianfranco Costamagna <email address hidden>  Sat, 08 Feb 2020 12:28:57 +0100
Superseded in focal-proposed 
mosquitto (1.6.8-1~exp1) experimental; urgency=medium

  * New upstream version 1.6.8 (Closes: #949585)
  * Also install examples into etc directory
  * Install missing mosquitto_broker.h header file
  * Add mosquitto_rr to tools
  * Install manpages into debian/*.manpages files
  * Fix installation of libraries in case soname is added to the so file
  * Bump std-version to 4.4.1, no changes required
  * Require uthash at least 2.1.0, previously the embedded version was used during build process
  * Bump compat level to 12
  * Switch build system to cmake
  * Do not override dh_auto_test anymore

 -- Gianfranco Costamagna <email address hidden>  Wed, 22 Jan 2020 12:23:22 +0100

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
mosquitto (1.6.7-1) unstable; urgency=medium

  * New upstream release.

 -- Roger A. Light <email address hidden>  Wed, 25 Sep 2019 13:31:51 +0100

Available diffs

Obsolete in disco-updates
Obsolete in disco-security 
mosquitto (1.5.7-1ubuntu0.1) disco-security; urgency=high

  * SECURITY UPDATE: If a malicious MQTT client sends a SUBSCRIBE packet
    containing a topic that consists of approximately 65400 or more '/'
    characters, i.e. the topic hierarchy separator, then a stack overflow will
    occur. LP: #1844377.
    - debian/patches/mosquitto-1.5.x-cve-2019-11779.patch: this patch restricts
      the hierarchy depth to 200.
    - CVE-2019-11779

 -- <email address hidden> (Roger A. Light)  Wed, 18 Sep 2019 15:11:59 +0000
Superseded in focal-release
Obsolete in eoan-release
Deleted in eoan-proposed (Reason: moved to Release) 
mosquitto (1.6.6-1) unstable; urgency=high

  * SECURITY UPDATE: If an MQTT v5 client connects to Mosquitto, sets a last
    will and testament, sets a will delay interval, sets a session expiry
    interval, and the will delay interval is set longer than the session
    expiry interval, then a use after free error occurs, which has the
    potential to cause a crash in some situations.
    - CVE awaiting assignment
  * SECURITY UPDATE: If a malicious MQTT client sends a SUBSCRIBE packet
    containing a topic that consists of approximately 65400 or more '/'
    characters, i.e. the topic hierarchy separator, then a stack overflow will
    occur.
    - CVE awaiting assignment
  * New upstream release.
  * Remove bug-1367.patch.
  * Don't use killall in mosquitto.logrotate. Closes: #940229.

 -- Roger A. Light <email address hidden>  Tue, 17 Sep 2019 18:41:36 +0100

Available diffs

Superseded in eoan-release
Deleted in eoan-proposed (Reason: moved to release) 
mosquitto (1.6.4-1) unstable; urgency=medium

  * New upstream release.
  * Bump standards version to 4.4.0, no changes needed.
  * bug-1367.patch: fix bug with v5 DISCONNECT packets with remaining_length =
    2 being treated as a protocol error. Fixed upstream for 1.6.5 or 1.7.
  * Added override_dh_makeshlibs for catching symbol errors.
  * Add --retry to init file as per
    https://github.com/eclipse/mosquitto/issues/1117

 -- Roger A. Light <email address hidden>  Thu, 01 Aug 2019 22:51:08 +0100

Available diffs

Published in xenial-updates
Published in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings
    - debian/patches/add-validate-utf8.patch: Add validate UTF-8
    - debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation
      fixes
    - CVE-2017-7653
  * SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated
    clients to send crafted CONNECT packets which could cause DoS
    - debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused
      by a malicious CONNECT packet
    - CVE-2017-7654

 -- Eduardo Barretto <email address hidden>  Tue, 18 Jun 2019 11:59:34 -0300
Published in bionic-updates
Published in bionic-security 
mosquitto (1.4.15-2ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings
    - debian/patches/add-validate-utf8.patch: Add validate UTF-8
    - debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation
      fixes
    - CVE-2017-7653
  * SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated
    clients to send crafted CONNECT packets which could cause DoS
    - debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused
      by a malicious CONNECT packet
    - CVE-2017-7654

 -- Eduardo Barretto <email address hidden>  Tue, 18 Jun 2019 11:42:22 -0300
Obsolete in cosmic-updates
Obsolete in cosmic-security 
mosquitto (1.4.15-2ubuntu0.18.10.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings
    - debian/patches/add-validate-utf8.patch: Add validate UTF-8
    - debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation
      fixes
    - CVE-2017-7653
  * SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated
    clients to send crafted CONNECT packets which could cause DoS
    - debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused
      by a malicious CONNECT packet
    - CVE-2017-7654

 -- Eduardo Barretto <email address hidden>  Wed, 19 Jun 2019 12:01:14 -0300
Superseded in eoan-release
Obsolete in disco-release
Deleted in disco-proposed (Reason: moved to release) 
mosquitto (1.5.7-1) unstable; urgency=medium

  * New upstream release.
  * Remove fix-step3.patch, fixed upstream.
  * bug-1162.patch: fix bug with clients being disconnected in some situations
    when ACLs are in use.

 -- Roger A. Light <email address hidden>  Mon, 18 Feb 2019 09:28:40 +0000

Available diffs

Superseded in cosmic-updates
Superseded in cosmic-security 
mosquitto (1.4.15-2ubuntu0.18.10.2) cosmic-security; urgency=medium

  * Fix regression in update for CVE-2018-12546.

 -- <email address hidden> (Roger A. Light)  Wed, 13 Feb 2019 00:27:01 +0000
Superseded in bionic-updates
Superseded in bionic-security 
mosquitto (1.4.15-2ubuntu0.18.04.2) bionic-security; urgency=medium

  * Fix regression in update for CVE-2018-12546.

 -- <email address hidden> (Roger A. Light)  Wed, 13 Feb 2019 00:27:01 +0000
Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.6) xenial-security; urgency=medium

  * Fix regression in update for CVE-2018-12546.

 -- <email address hidden> (Roger A. Light)  Wed, 13 Feb 2019 00:27:01 +0000
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release) 
mosquitto (1.5.6-1) unstable; urgency=medium
  
  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546
  * New upstream release.
  * Bump standards version to 4.3.0, no changes needed.
  * fix-step3.patch: fix compilation error.

 -- Roger A. Light <email address hidden>  Thu, 07 Feb 2019 16:00:52 +0000

Available diffs

Superseded in cosmic-updates
Superseded in cosmic-security 
mosquitto (1.4.15-2ubuntu0.18.10.1) cosmic-security; urgency=medium

  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546

 -- <email address hidden> (Roger A. Light)  Wed, 06 Feb 2019 17:03:31 +0000
Superseded in bionic-updates
Superseded in bionic-security 
mosquitto (1.4.15-2ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.15-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546

 -- <email address hidden> (Roger A. Light)  Wed, 06 Feb 2019 17:03:31 +0000
Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546

 -- <email address hidden> (Roger A. Light)  Wed, 06 Feb 2019 17:03:31 +0000
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release) 
mosquitto (1.5.5-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Only chown mosquitto.log if it exists. (Closes: #916558)

 -- Andreas Henriksson <email address hidden>  Sat, 22 Dec 2018 16:54:06 +0100

Available diffs

Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release) 
mosquitto (1.5.5-1) unstable; urgency=medium

  * SECURITY UPDATE: If the option `per_listener_settings` was set to true,
    and the default listener was in use, and the default listener specified an
    `acl_file`, then the acl file was being ignored. This affects version 1.5
    to 1.5.4 inclusive.
  * New upstream release.

 -- Roger A. Light <email address hidden>  Tue, 11 Dec 2018 16:37:32 +0000

Available diffs

Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release) 
mosquitto (1.5.4-1) unstable; urgency=medium

  * New upstream release (Closes: #911104).
    - Fixes CVE-2017-7654 (Closes: #911265)
    - Fixes CVE-2017-7653 (Closes: #911266)
  * Remove no longer needed patches. Some are integrated into upstream, others
    have been replaced with changes in rules.
    - async_dns.patch
    - build-timestamp.patch
    - disable-in-tree-uthash.patch
    - enable-libwrap.patch
    - enable-websockets.patch
    - fix-prefix.patch
    - hurd-errno.patch
    - libdir.patch
    - nostrip.patch
  * Copyright fix - src/uthash.h -> src/deps/uthash.h
  * Update symbols files with new additions.
  * Remove debian/mosquitto.prerm
    - Calls to invoke-rc.d to stop mosquitto will be inserted automagically by
      debhelper.
  * Stop removing the mosquitto user in postrm.
    - This is not safe since there might still be logs (and other files?)
      around owned by the uid, so we don't want it reused for a new user.
  * Add build dependency on libsystemd-dev.
  * Enable systemd build support.
  * Ship the mosquitto.service file (with sd-notify support)
  * Drop -dbg packages and do -dbgsym migration.
  * libmosquito{,pp}-dev: ship libmosquitto{,pp}.pc respectively.
  * Remove unused build dependency on python-all. (Closes: #901424).
  * Bump standards version to 4.2.1, no changes needed.
  * Bumped dh compat level to 11.
  * Add upstream/metadata.

 -- Roger A. Light <email address hidden>  Thu, 08 Nov 2018 13:34:59 +0000

Available diffs

Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: in case all sockets/file descriptors are exhausted,
    then opening the configuration file will fail.
    - debian/patches/mosquitto-1.4.x_cve-2017-7652.patch: this is a fix
      to avoid default config values after reloading configuration by
      SIGHUP signal.
    - CVE-2017-7652

 -- Eduardo Barretto <email address hidden>  Wed, 05 Sep 2018 15:51:27 -0300
Published in trusty-updates
Published in trusty-security 
mosquitto (0.15-2+deb7u3ubuntu0.1) trusty-security; urgency=medium

  * Merge from Debian. Remaining changes:
    - Install apparmor profile.
    - Replace init script with upstart script.

 -- Eduardo Barretto <email address hidden>  Tue, 04 Sep 2018 16:54:44 -0300
Superseded in disco-release
Obsolete in cosmic-release
Published in bionic-release
Deleted in bionic-proposed (Reason: moved to release) 
mosquitto (1.4.15-2) unstable; urgency=low

  * Replace mentions of 'c_rehash' with 'openssl rehash'. (Closes: #895084).

 -- Roger A. Light <email address hidden>  Sat, 07 Apr 2018 11:16:43 +0100

Available diffs

Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: upstream patch for CVE 2017-7651 (LP: #1752591)

 -- Emmet Hikory <email address hidden>  Thu, 01 Mar 2018 09:34:49 -0500
Obsolete in artful-updates
Obsolete in artful-security 
mosquitto (1.4.12-1ubuntu0.1) artful-security; urgency=medium

  * Add upstream patch for CVE 2017-7651 (LP: #1752591)

 -- Emmet Hikory <email address hidden>  Thu, 01 Mar 2018 09:24:46 -0500
Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release) 
mosquitto (1.4.15-1) unstable; urgency=high

  * SECURITY UPDATE: If a SIGHUP is sent to the broker when there are no more
    file descriptors, then opening the configuration file will fail and
    security settings will be set back to their default values.
    - debian/patches/mosquitto-1.4.10_cve-2017-7652.patch: When reloading
      configuration, do this into a separate config struct. If nothing fails,
      then copy the new config over the old config.
    - CVE-2017-7652
  * SECURITY UPDATE: Unauthenticated clients can cause excessive memory usage.
    This has the potential to lead to an OOM situation and the broker being
    killed by the system.
    - debian/patches/mosquitto-1.4.10_cve-2017-7652.patch: Limit the maximum
      size of CONNECT packet to a reasonable value, and add "memory_limit"
      option to set the maximum memory the broker will use.
    - CVE-2017-7651
  * New upstream release.
  * Remove upstart support, which had accidently been reinstated in 1.4.14-2.
  * Bumped standards version to 4.1.3, no changes required.
  * Fix global-files-wildcard-not-first-paragraph-in-dep5-copyright.

 -- Roger A. Light <email address hidden>  Wed, 28 Feb 2018 11:29:47 +0000
Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release) 
mosquitto (1.4.14-2build1) bionic; urgency=high

  * No change rebuild against openssl1.1.

 -- Dimitri John Ledkov <email address hidden>  Mon, 05 Feb 2018 23:23:03 +0000
Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release) 
mosquitto (1.4.14-2) unstable; urgency=low

  * Fix lintian error "build-depends-on-obsolete-package"
  * Fix lintian warning "extended-description-line-too-long"
  * The 1.4.14 release relaxes the restrictions on client ids, which means
    that the mosquitto_pub/sub autogenerated ids are no longer a problem.
    (closes #870165).

 -- Roger A. Light <email address hidden>  Tue, 26 Dec 2017 22:03:57 +0000

Available diffs

Superseded in bionic-release
Deleted in bionic-proposed (Reason: moved to release) 
mosquitto (1.4.14-1) unstable; urgency=medium

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data. Fixed by upstream release 1.4.13.
    - CVE-2017-9868
  * New upstream release.
  * Remove upstart support.
  * Bumped standards version to 4.1.2.
    - Removed invoke-rc.d conditionals.
    - Changed "extra" priorities to "optional".
  * Build-Depends: Add dh-systemd, bump libwebsockets to >=2.0.
  * no-man-clean.patch - don't clean man pages from source directory.
  * async_dns.patch - enable bridge async DNS lookups.

 -- Roger A. Light <email address hidden>  Fri, 22 Dec 2017 07:14:19 +0000

Available diffs

Superseded in trusty-updates
Superseded in trusty-security 
mosquitto (0.15-2ubuntu1.2) trusty-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light)  Mon, 26 Jun 2017 09:31:02 +0100
Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.2) xenial-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light)  Mon, 26 Jun 2017 09:31:02 +0100
Obsolete in zesty-updates
Obsolete in zesty-security 
mosquitto (1.4.10-2ubuntu0.2) zesty-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light)  Mon, 26 Jun 2017 09:31:02 +0100
Superseded in zesty-updates
Superseded in zesty-security 
mosquitto (1.4.10-2ubuntu0.1) zesty-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-1.4.10_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100
Obsolete in yakkety-updates
Obsolete in yakkety-security 
mosquitto (1.4.8-1ubuntu0.16.10.1) yakkety-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100
Superseded in xenial-updates
Superseded in xenial-security 
mosquitto (1.4.8-1ubuntu0.16.04.1) xenial-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-1.4.8_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100
Superseded in trusty-updates
Superseded in trusty-security 
mosquitto (0.15-2ubuntu1.1) trusty-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100
Superseded in bionic-release
Obsolete in artful-release
Deleted in artful-proposed (Reason: moved to release) 
mosquitto (1.4.12-1) experimental; urgency=low

  * New upstream release.

 -- Roger A. Light <email address hidden>  Mon, 29 May 2017 14:56:32 +0100

Available diffs

Superseded in artful-release
Obsolete in zesty-release
Deleted in zesty-proposed (Reason: moved to release) 
mosquitto (1.4.10-2) unstable; urgency=medium

  * Bumped standards version to 3.9.8. No changes needed.
  * Bumped dh compat level to 10.
  * Vcs-* links updated.

 -- Roger A. Light <email address hidden>  Thu, 03 Nov 2016 22:37:33 +0000
175 of 92 results FirstPreviousLast