-
mosquitto (1.4.8-1ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings
- debian/patches/add-validate-utf8.patch: Add validate UTF-8
- debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation
fixes
- CVE-2017-7653
* SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated
clients to send crafted CONNECT packets which could cause DoS
- debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused
by a malicious CONNECT packet
- CVE-2017-7654
-- Eduardo Barretto <email address hidden> Tue, 18 Jun 2019 11:59:34 -0300
-
mosquitto (1.4.8-1ubuntu0.16.04.6) xenial-security; urgency=medium
* Fix regression in update for CVE-2018-12546.
-- <email address hidden> (Roger A. Light) Wed, 13 Feb 2019 00:27:01 +0000
-
mosquitto (1.4.8-1ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be treated as
valid. This typically means that the malformed data becomes a username and
no password. If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In particular, a blank
line will be treated as a valid empty username. Other security measures are
unaffected. Users who have only used the mosquitto_passwd utility to create
and modify their password files are unaffected by this vulnerability.
- debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
more stringent parsing tests on the password file data.
- CVE-2018-12551
* SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined, which
means that no topic access is denied. Although denying access to all
topics is not a useful configuration, this behaviour is unexpected and
could lead to access being incorrectly granted in some circumstances.
- debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
that if an ACL file is defined but no rules are defined, then access will
be denied.
- CVE-2018-12550
* SECURITY UPDATE: If a client publishes a retained message to a topic that
they have access to, and then their access to that topic is revoked, the
retained message will still be delivered to future subscribers. This
behaviour may be undesirable in some applications, so a configuration
option `check_retain_source` has been introduced to enforce checking of
the retained message source on publish.
- debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
the originator of the retained message, so security checking can be
carried out before re-publishing. The complexity of the patch is due to
the need to save this information across broker restarts.
- CVE-2018-12546
-- <email address hidden> (Roger A. Light) Wed, 06 Feb 2019 17:03:31 +0000
-
mosquitto (1.4.8-1ubuntu0.16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: in case all sockets/file descriptors are exhausted,
then opening the configuration file will fail.
- debian/patches/mosquitto-1.4.x_cve-2017-7652.patch: this is a fix
to avoid default config values after reloading configuration by
SIGHUP signal.
- CVE-2017-7652
-- Eduardo Barretto <email address hidden> Wed, 05 Sep 2018 15:51:27 -0300
-
mosquitto (1.4.8-1ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: upstream patch for CVE 2017-7651 (LP: #1752591)
-- Emmet Hikory <email address hidden> Thu, 01 Mar 2018 09:34:49 -0500
-
mosquitto (1.4.8-1ubuntu0.16.04.2) xenial-security; urgency=low
* SECURITY UPDATE: Persistence file is world readable, which may expose
sensitive data (LP: #1700490).
- debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
restrict persistence file read access to owner.
- CVE-2017-9868
-- <email address hidden> (Roger A. Light) Mon, 26 Jun 2017 09:31:02 +0100
-
mosquitto (1.4.8-1ubuntu0.16.04.1) xenial-security; urgency=low
* SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
set to '+' or '#' (LP: #1692818).
- debian/patches/mosquitto-1.4.8_cve-2017-7650.patch: Reject send/receive
of messages to/from clients with a '+', '#' or '/' in their
username/client id.
- CVE-2017-7650
-- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100
-
mosquitto (1.4.8-1build1) xenial; urgency=medium
* Rebuild against libwebsockets7.
-- Gianfranco Costamagna <email address hidden> Fri, 19 Feb 2016 12:03:16 +0100
-
mosquitto (1.4.8-1) unstable; urgency=high
* New upstream release.
* apparmor is now "suggests" instead of "depends".
-- Roger A. Light <email address hidden> Sun, 14 Feb 2016 15:06:55 +0000
-
mosquitto (1.4.7-1) unstable; urgency=low
* New upstream release. Includes support for libwebsockets 1.6.
* Add dependency link between libmosquittopp-dev and libmosquitto-dev
(closes: #805506).
* Dropped misc:Pre-Depends line for libmosquitto1. See #783898.
* libc-ares2 Depends is handled by shlib:Depends for libmosquitto1.
-- Roger A. Light <email address hidden> Mon, 21 Dec 2015 10:59:31 +0000
-
mosquitto (1.4.4-1) unstable; urgency=low
* New upstream release.
* Fix Vcs link.
* Note that libs & clients also support MQTT v3.1.1.
-- Roger A. Light <email address hidden> Mon, 21 Sep 2015 09:56:28 +0100
-
mosquitto (1.4.3-1) unstable; urgency=low
* New upstream release.
* New binary package mosquitto-dev.
* python3-mosquitto and python-mosquitto packages removed because the python
module is no longer part of upstream.
* Remove unused patches (pynomake.patch and disable-bad-test.patch)
* Added dependency on libwebsockets3, uuid. Note that the source package
will build (and actually prefers) using libwebsockets4 when it becomes
available. This adds the patch enable-websockets.patch.
* Upstream license has changed from BSD-3 to EPL-1.0 or EDL-1.0.
* Fix log directory permissions.
* Port to multiarch (closes: #763385) - adds libdir.patch
* Symbols update
* Patch refresh
* Add build-timestamp.patch to create reproducable builds.
* Add support for apparmor.
-- Roger A. Light <email address hidden> Wed, 19 Aug 2015 10:31:10 +0100
