Package "mosquitto-clients"

Name: mosquitto-clients


Mosquitto command line MQTT clients

Latest version: 1.4.8-1ubuntu0.16.04.7
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: mosquitto
Homepage: http://mosquitto.org/


Download "mosquitto-clients"

Other versions of "mosquitto-clients" in Xenial

Repository Area Version
base universe 1.4.8-1build1
security universe 1.4.8-1ubuntu0.16.04.7


Version: 1.4.8-1ubuntu0.16.04.7 2019-06-20 17:06:21 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings
    - debian/patches/add-validate-utf8.patch: Add validate UTF-8
    - debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation
    - CVE-2017-7653
  * SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated
    clients to send crafted CONNECT packets which could cause DoS
    - debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused
      by a malicious CONNECT packet
    - CVE-2017-7654

 -- Eduardo Barretto <email address hidden> Tue, 18 Jun 2019 11:59:34 -0300

Source diff to previous version
CVE-2017-7653 The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that
CVE-2017-7654 In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted

Version: 1.4.8-1ubuntu0.16.04.6 2019-02-14 13:06:25 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.6) xenial-security; urgency=medium

  * Fix regression in update for CVE-2018-12546.

 -- <email address hidden> (Roger A. Light) Wed, 13 Feb 2019 00:27:01 +0000

Source diff to previous version

Version: 1.4.8-1ubuntu0.16.04.5 2019-02-11 15:06:25 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546

 -- <email address hidden> (Roger A. Light) Wed, 06 Feb 2019 17:03:31 +0000

Source diff to previous version

Version: 1.4.8-1ubuntu0.16.04.4 2018-09-06 18:06:40 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: in case all sockets/file descriptors are exhausted,
    then opening the configuration file will fail.
    - debian/patches/mosquitto-1.4.x_cve-2017-7652.patch: this is a fix
      to avoid default config values after reloading configuration by
      SIGHUP signal.
    - CVE-2017-7652

 -- Eduardo Barretto <email address hidden> Wed, 05 Sep 2018 15:51:27 -0300

Source diff to previous version
CVE-2017-7652 In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the confi

Version: 1.4.8-1ubuntu0.16.04.3 2018-03-16 16:07:17 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: upstream patch for CVE 2017-7651 (LP: #1752591)

 -- Emmet Hikory <email address hidden> Thu, 01 Mar 2018 09:34:49 -0500

1752591 CVE-2017-7651 and CVE-2017-7652

About   -   Send Feedback to @ubuntu_updates