Accepting request 1135794 from home:dirkmueller:Factory

- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
                    CVE-2023-0809, bsc#1215864, CVE-2023-3592):
  * Fix crash on subscribe under certain unlikely conditions.
  * Fix mosquitto_rr not honouring `-R`. Closes #2893.
  * Fix `max_queued_messages 0` stopping clients from receiving
    messages.
  * Fix `max_inflight_messages` not being set correctly.
  * Fix `mosquitto_passwd -U` backup file creation.
  * CVE-2023-28366: Fix memory leak in broker when clients send
    multiple QoS 2 messages with the same message ID, but then
    never respond to the PUBREC commands.
  * CVE-2023-0809: Fix excessive memory being allocated based on
    malicious initial packets that are not CONNECT packets.
  * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
    packets with a will message that contains invalid property
    types.
  * Broker will now reject Will messages that attempt to publish
    to $CONTROL/.
  * Broker now validates usernames provided in a TLS certificate
    or TLS-PSK identity are valid UTF-8.
  * Fix potential crash when loading invalid persistence file.
  * Library will no longer allow single level wildcard
    certificates, e.g. *.com
  * Fix $SYS messages being expired after 60 seconds and hence
    unchanged values disappearing.
  * Fix some retained topic memory not being cleared immediately
    after used.
  * Fix error handling related to the `bind_interface` option.
  * Fix std* files not being redirected when daemonising, when
    built with assertions removed.

OBS-URL: https://build.opensuse.org/request/show/1135794
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=63

mosquitto-2.0.15.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4735b1d32e3f91c7a8896741d88a3022e89730a1ee897946decfa0df27039ac6
-size 792632

mosquitto-2.0.15.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmL7nMoACgkQd5si37Pn
-F7eTzg//USRDDrpqd5RG3/9bY172OMQ9WnekmESZP3mfXyxV3lAPiqqKR9ShjTvO
-B68pSxnbkxnKl1yX+hntdw941qQdaeexEIfQBeB1tq4TkKHcYjBBoCa1EpKbiUi+
-wbnw1RaKKkiNJZVuvcp3jDFXIOdqxUoBUzEnIy8dBOk7l3gxZEZCh1gdDvQFBd0D
-jw9FlhZYTE5SbVyCJ3fDzAoEsGe4qXeeNHrgKIImnFVuil30/PdB938wcMnGTTAz
-6XLyyvqp4yhMzODFIkl9BjX6GXK5pRmBYXkGLeXVepPiI+F1IrUwOiSYqRAC3Mt7
-eVoOecvkG2qms8zm2eC22bcSQcUTmCcvd4/mgbt1SmNiFoUrwgc3YGVfv3/tXD9O
-QXGY4ASw8YKJmxhPhmztOrD8rut650nJM388wJGAoigGIPgfLTRD+r1O/EO/CCQT
-4ux0H2HrWZ0Lf7NIpyR4sviezcmpgOuwFiZW4lNo4tlU7wP0KuGSC6D37ItMien5
-dA+2nGxjK6uGAIAoTU8qvCxxrUHvv03XVNsASjp/0Q4djh0AodpcsEMJDWGZ30XM
-W6BShMeSLP6+uMAWMyrF2oB4f+Jp/LYZ+nDGEleF6wIFhI74GXxWnoAfkmewaN66
-Q7vXUWxufUShozt9LMmEkvTyXit6vWIHRW0YDoLD1jRQYDvGRag=
-=4duc
------END PGP SIGNATURE-----

mosquitto-2.0.18.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d665fe7d0032881b1371a47f34169ee4edab67903b2cd2b4c083822823f4448a
+size 796351

mosquitto-2.0.18.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEoNbuodyuSaY1o7Lwd5si37PnF7cFAmUIwT4ACgkQd5si37Pn
+F7cZfBAAp/pcUhCv3fguP2xroaQV1HC1Wl7KfEplF9cAkFnW893xgnSDo0qj8Mo2
+/DRekji8vZyoI3V2+S7QNFnbSjCsqfgnVSopHHOpm5xLWZ3xaQwo6FSfmgDEstIA
+YP5YoAbaTI69MbIqE1YqWISx/v0azc8T4zVQI8fMIew3GU8yg1ajaGJRH6kpskdg
+hzrxE97ET4pPEwEo1wVI/lx2QKXXMfDjhge97UH0XendlOJwpUdDVqFprKBctsKE
+9zUGAdN6UvTkCBJs2kFfqmNA2ivrbaUQs3v8Hn3cizNMOV+tbm4AGhBJ+jZAgx4d
+fp87+Pj4eiSs0o01gVsIUO4aQzwL2VM+ZNcRJHp/UZPEsaKlg6oS+nCceJg4N14V
+ue6HHc56RULQ/MFTLmK1uHtp6mWGi9Gqj/nIBh7je/uI+DzMUUpboYazjhH7pkhz
+KIQ07tDV/HJOKVupRc80qXp6z4mIlVH9eFvCWu6r1nRB053zv4Axvi/Br+Hygqe4
+0N/nxWFhl//xredL5eeh3U651WCjcgFazsboHqlDh/+aRMbAfPl22CoKr+4U5W5t
+ThvlrHpYekUvbd1WEJSM+DiiDzB4gfSRB91npQlbtbTOlZpfzeUt+QNSbAFIKWBF
+QPFCdddTFnDHd5bFFPjGqUdIzWbf9bSYn8QeNdcIRCkQLlmEZas=
+=Ucew
+-----END PGP SIGNATURE-----

mosquitto.changes

@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Sat Dec 30 21:03:04 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
+                    CVE-2023-0809, bsc#1215864, CVE-2023-3592):
+  * Fix crash on subscribe under certain unlikely conditions.
+  * Fix mosquitto_rr not honouring `-R`. Closes #2893.
+  * Fix `max_queued_messages 0` stopping clients from receiving
+    messages.
+  * Fix `max_inflight_messages` not being set correctly.
+  * Fix `mosquitto_passwd -U` backup file creation.
+  * CVE-2023-28366: Fix memory leak in broker when clients send
+    multiple QoS 2 messages with the same message ID, but then
+    never respond to the PUBREC commands.
+  * CVE-2023-0809: Fix excessive memory being allocated based on
+    malicious initial packets that are not CONNECT packets.
+  * CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
+    packets with a will message that contains invalid property
+    types.
+  * Broker will now reject Will messages that attempt to publish
+    to $CONTROL/.
+  * Broker now validates usernames provided in a TLS certificate
+    or TLS-PSK identity are valid UTF-8.
+  * Fix potential crash when loading invalid persistence file.
+  * Library will no longer allow single level wildcard
+    certificates, e.g. *.com
+  * Fix $SYS messages being expired after 60 seconds and hence
+    unchanged values disappearing.
+  * Fix some retained topic memory not being cleared immediately
+    after used.
+  * Fix error handling related to the `bind_interface` option.
+  * Fix std* files not being redirected when daemonising, when
+    built with assertions removed.
+  * Fix default settings incorrectly allowing TLS v1.1.
+  * Use line buffered mode for stdout.
+  * Fix bridges with non-matching cleansession/local_cleansession
+    being expired on start after restoring from persistence
+  * Fix connections being limited to 2048 on Windows. The limit
+    is now 8192, where supported.
+  * Broker will log warnings if sensitive files are world
+    readable/writable, or if the owner/group is not the same as
+    the user/group the broker is running as. In future versions
+    the broker will refuse to open these files.
+  * mosquitto_memcmp_const is now more constant time.
+  * Only register with DLT if DLT logging is enabled.
+  * Fix any possible case where a json string might be
+    incorrectly loaded. This could have caused a crash if a
+    textname or textdescription field of a role was not a string,
+    when loading the dynsec config from file only.
+  * Dynsec plugin will not allow duplicate clients/groups/roles
+    when loading config from file, which matches the behaviour
+    for when creating them.
+  * Fix heap overflow when reading corrupt config with "log_dest
+    file".
+  * Use CLOCK_BOOTTIME when available, to keep track of time.
+    This solves the problem of the client OS sleeping and the
+    client hence not being able to calculate the actual time for
+    keepalive purposes.
+  * Fix default settings incorrectly allowing TLS v1.1. Closes
+  * Fix high CPU use on slow TLS connect.
+  * Fix incorrect topic-alias property value in mosquitto_sub
+    json output.
+  * Fix confusing message on TLS certificate verification.
+  * mosquitto_passwd uses mkstemp() for backup files.
+  * `mosquitto_ctrl dynsec init` will refuse to overwrite an
+    existing file, without a race-condition.
+
 -------------------------------------------------------------------
 Mon Aug 22 21:15:33 UTC 2022 - Dirk Müller <dmueller@suse.com>
 

mosquitto.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package mosquitto
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define c_lib   libmosquitto1
 %define cpp_lib libmosquittopp1
 Name:           mosquitto
-Version:        2.0.15
+Version:        2.0.18
 Release:        0
 Summary:        A MQTT v3.1/v3.1.1 Broker
 License:        EPL-1.0