[Buildroot] [PATCH] package/mosquitto: security bump to version 1.5.6
Peter Korsgaard
peter at korsgaard.com
Thu Feb 21 10:24:10 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2018-12551: If Mosquitto is configured to use a password file for
> authentication, any malformed data in the password file will be treated as
> valid. This typically means that the malformed data becomes a username and
> no password. If this occurs, clients can circumvent authentication and get
> access to the broker by using the malformed username. In particular, a
> blank line will be treated as a valid empty username. Other security
> measures are unaffected. Users who have only used the mosquitto_passwd
> utility to create and modify their password files are unaffected by this
> vulnerability. Affects version 1.0 to 1.5.5 inclusive.
> CVE-2018-12550: If an ACL file is empty, or has only blank lines or
> comments, then mosquitto treats the ACL file as not being defined, which
> means that no topic access is denied. Although denying access to all topics
> is not a useful configuration, this behaviour is unexpected and could lead
> to access being incorrectly granted in some circumstances. Affects versions
> 1.0 to 1.5.5 inclusive.
> CVE-2018-12546: If a client publishes a retained message to a topic that
> they have access to, and then their access to that topic is revoked, the
> retained message will still be delivered to future subscribers. This
> behaviour may be undesirable in some applications, so a configuration option
> check_retain_source has been introduced to enforce checking of the retained
> message source on publish.
> Add two upstream post-1.5.6 patches to fix a build error in the bridge code
> when ADNS is enabled and when building with older toolchains not defaulting
> to C99 mode.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x and 2018.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list