From 22abd8ba720c2916faf264fdfbef8a60e6644291d6dcf0af7ea6a3edb39a56fc Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 8 Jan 2019 20:22:44 +0000 Subject: [PATCH] Accepting request 658974 from home:mnhauke - FIX CVE-2018-20145: mosquitto: ACL bypass (bnc#1119536) - Update to version 1.5.5 Security: * If `per_listener_settings` is set to true, then the `acl_file` setting was ignored for the "default listener" only. This has been fixed. This does not affect any listeners defined with the `listener` option. Broker: * Add `socket_domain` option to allow listeners to disable IPv6 support. This is required to work around a problem in libwebsockets that means sockets only listen on IPv6 by default if IPv6 support is compiled in. * When using ADNS, don't ask for all network protocols when connecting, because this can lead to confusing "Protocol not supported" errors if the network is down. * Fix outgoing retained messages not being sent by bridges on initial connection. * Don't reload auth_opt_ options on reload, to match the behaviour of the other plugin options. * Print message on error when installing/uninstalling as a Windows service. * All non-error connect/disconnect messages are controlled by the `connection_messages` option. Library: * Fix reconnect delay backoff behaviour. * Don't call on_disconnect() twice if keepalive tests fail. Client: * Always print leading zeros in mosquitto_sub when output format is hex. Build: * Fix building where TLS-PSK is not available. - Update to version 1.5.4 Security: * When using a TLS enabled websockets listener with "require_certificate" OBS-URL: https://build.opensuse.org/request/show/658974 OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=17 --- mosquitto-1.5.3.tar.gz | 3 --- mosquitto-1.5.5.tar.gz | 3 +++ mosquitto.changes | 54 ++++++++++++++++++++++++++++++++++++++++++ mosquitto.spec | 2 +- 4 files changed, 58 insertions(+), 4 deletions(-) delete mode 100644 mosquitto-1.5.3.tar.gz create mode 100644 mosquitto-1.5.5.tar.gz diff --git a/mosquitto-1.5.3.tar.gz b/mosquitto-1.5.3.tar.gz deleted file mode 100644 index 27fe02c..0000000 --- a/mosquitto-1.5.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3081a998d303a883b1cd064009beabc88aa9159e26f5258a4ae6007160491d10 -size 425844 diff --git a/mosquitto-1.5.5.tar.gz b/mosquitto-1.5.5.tar.gz new file mode 100644 index 0000000..79218bf --- /dev/null +++ b/mosquitto-1.5.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fcdb47e340864c545146681af7253399cc292e41775afd76400fda5b0d23d668 +size 431998 diff --git a/mosquitto.changes b/mosquitto.changes index 89010bf..b9d361f 100644 --- a/mosquitto.changes +++ b/mosquitto.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Mon Dec 17 20:15:50 UTC 2018 - mardnh@gmx.de + +- FIX CVE-2018-20145: mosquitto: ACL bypass (bnc#1119536) +- Update to version 1.5.5 + Security: + * If `per_listener_settings` is set to true, then the `acl_file` setting was + ignored for the "default listener" only. This has been fixed. This does not + affect any listeners defined with the `listener` option. + Broker: + * Add `socket_domain` option to allow listeners to disable IPv6 support. + This is required to work around a problem in libwebsockets that means + sockets only listen on IPv6 by default if IPv6 support is compiled in. + * When using ADNS, don't ask for all network protocols when connecting, + because this can lead to confusing "Protocol not supported" errors if the + network is down. + * Fix outgoing retained messages not being sent by bridges on initial + connection. + * Don't reload auth_opt_ options on reload, to match the behaviour of the + other plugin options. + * Print message on error when installing/uninstalling as a Windows service. + * All non-error connect/disconnect messages are controlled by the + `connection_messages` option. + Library: + * Fix reconnect delay backoff behaviour. + * Don't call on_disconnect() twice if keepalive tests fail. + Client: + * Always print leading zeros in mosquitto_sub when output format is hex. + Build: + * Fix building where TLS-PSK is not available. + +- Update to version 1.5.4 + Security: + * When using a TLS enabled websockets listener with "require_certificate" + enabled, the mosquitto broker does not correctly verify client certificates. + This is now fixed. All other security measures operate as expected, and in + particular non-websockets listeners are not affected by this. + Broker: + * Process all pending messages even when a client has disconnected. This means + a client that send a PUBLISH then DISCONNECT quickly, then disconnects will + have its DISCONNECT message processed properly and so no Will will be sent. + * $SYS/broker/clients/disconnected should never be negative. + * Give better error message if a client sends a password without a username. + * Fix bridge not honoring restart_timeout. + * Don't disconnect a client if an auth plugin denies access to SUBSCRIBE. + Library: + * Fix memory leak that occurred if mosquitto_reconnect() was used when TLS + errors were present. + * Fix TLS connections when using an external event loop with + mosquitto_loop_read() and mosquitto_write(). + Build: + * Fix clients not being compiled with threading support when using CMake. + * Use _GNU_SOURCE to fix build errors in websockets and getaddrinfo usage. + ------------------------------------------------------------------- Thu Oct 25 18:06:26 UTC 2018 - mardnh@gmx.de diff --git a/mosquitto.spec b/mosquitto.spec index fd33a63..90d0f46 100644 --- a/mosquitto.spec +++ b/mosquitto.spec @@ -27,7 +27,7 @@ %endif %bcond_without websockets Name: mosquitto -Version: 1.5.3 +Version: 1.5.5 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0