MQTT version 3.1/3.1.1 compatible message broker
Save this URL for the latest version of "mosquitto":
Other versions of "mosquitto" in Cosmic
Packages in group
Deleted packages are displayed in grey.
mosquitto (1.4.15-2ubuntu0.18.10.2) cosmic-security; urgency=medium
* Fix regression in update for CVE-2018-12546.
-- <email address hidden> (Roger A. Light) Wed, 13 Feb 2019 00:27:01 +0000
|Source diff to previous version|
mosquitto (1.4.15-2ubuntu0.18.10.1) cosmic-security; urgency=medium
* SECURITY UPDATE: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be treated as
valid. This typically means that the malformed data becomes a username and
no password. If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In particular, a blank
line will be treated as a valid empty username. Other security measures are
unaffected. Users who have only used the mosquitto_passwd utility to create
and modify their password files are unaffected by this vulnerability.
- debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
more stringent parsing tests on the password file data.
* SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined, which
means that no topic access is denied. Although denying access to all
topics is not a useful configuration, this behaviour is unexpected and
could lead to access being incorrectly granted in some circumstances.
- debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
that if an ACL file is defined but no rules are defined, then access will
* SECURITY UPDATE: If a client publishes a retained message to a topic that
they have access to, and then their access to that topic is revoked, the
retained message will still be delivered to future subscribers. This
behaviour may be undesirable in some applications, so a configuration
option `check_retain_source` has been introduced to enforce checking of
the retained message source on publish.
- debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
the originator of the retained message, so security checking can be
carried out before re-publishing. The complexity of the patch is due to
the need to save this information across broker restarts.
-- <email address hidden> (Roger A. Light) Wed, 06 Feb 2019 17:03:31 +0000
Send Feedback to @ubuntu_updates