[Buildroot] [PATCH] package/mosquitto: security bump to version 1.6.6
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Wed Sep 18 15:51:48 UTC 2019
On Wed, 18 Sep 2019 16:38:39 +0200
Peter Korsgaard <peter at korsgaard.com> wrote:
> Fixes a security issue. From the annoncement:
>
> A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive.
>
> If a client sends a SUBSCRIBE packet containing a topic that consists of
> approximately 65400 or more '/' characters, i.e. the topic hierarchy
> separator, then a stack overflow will occur.
>
> The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions
> are available at https://mosquitto.org/files/cve/2019-hier
>
> The fix addresses the problem by restricting the allowed number of topic
> hierarchy levels to 200. An alternative fix is to increase the size of the
> stack by a small amount.
>
> https://mosquitto.org/blog/2019/09/version-1-6-6-released/
>
> Also notice that 1.6.5 silently fixed a security issue:
>
> CVE-2019-11778
>
> A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778
>
> If an MQTT v5 client connects to Mosquitto, sets a last will and testament,
> sets a will delay interval, sets a session expiry interval, and the will
> delay interval is set longer than the session expiry interval, then a use
> after free error occurs, which has the potential to cause a crash in some
> situations.
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
> package/mosquitto/mosquitto.hash | 2 +-
> package/mosquitto/mosquitto.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list