Security:
* Fix mismatched subscribe/unsubscribe with normal/shared topics.
* Fix crash on bridge using remapped topic being sent a crafted
packet.
Broker:
* Fix assert failure when loading a persistence file that
contains subscriptions with no client id.
* Fix local bridges being incorrectly expired when
persistent_client_expiration is in use.
* Fix use of CLOCK_BOOTTIME for getting time.
* Fix mismatched subscribe/unsubscribe with normal/shared topics.
* Fix crash on bridge using remapped topic being sent a crafted
packet.
Client library:
* Fix some error codes being converted to string as "unknown".
* Clear SSL error state to avoid spurious error reporting.
* Fix "payload format invalid" not being allowed as a PUBREC
reason code.
* Don't allow SUBACK with missing reason codes.
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=69
- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
CVE-2023-0809, bsc#1215864, CVE-2023-3592):
* Fix crash on subscribe under certain unlikely conditions.
* Fix mosquitto_rr not honouring `-R`. Closes#2893.
* Fix `max_queued_messages 0` stopping clients from receiving
messages.
* Fix `max_inflight_messages` not being set correctly.
* Fix `mosquitto_passwd -U` backup file creation.
* CVE-2023-28366: Fix memory leak in broker when clients send
multiple QoS 2 messages with the same message ID, but then
never respond to the PUBREC commands.
* CVE-2023-0809: Fix excessive memory being allocated based on
malicious initial packets that are not CONNECT packets.
* CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
packets with a will message that contains invalid property
types.
* Broker will now reject Will messages that attempt to publish
to $CONTROL/.
* Broker now validates usernames provided in a TLS certificate
or TLS-PSK identity are valid UTF-8.
* Fix potential crash when loading invalid persistence file.
* Library will no longer allow single level wildcard
certificates, e.g. *.com
* Fix $SYS messages being expired after 60 seconds and hence
unchanged values disappearing.
* Fix some retained topic memory not being cleared immediately
after used.
* Fix error handling related to the `bind_interface` option.
* Fix std* files not being redirected when daemonising, when
built with assertions removed.
OBS-URL: https://build.opensuse.org/request/show/1135794
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=63
- update to 2.0.15:
* Deleting the group configured as the anonymous group in the Dynamic Security
plugin, would leave a dangling pointer that could lead to a single crash.
This is considered a minor issue - only administrative users should have
access to dynsec, the impact on availability is one-off, and there is no
associated loss of data. It is now forbidden to delete the group configured
as the anonymous group.
* Fix memory leak when a plugin modifies the topic of a message in
MOSQ_EVT_MESSAGE.
* Fix bridge `restart_timeout` not being honoured.
* Fix potential memory leaks if a plugin modifies the message in the
MOSQ_EVT_MESSAGE event.
* Fix unused flags in CONNECT command being forced to be 0, which is not
required for MQTT v3.1. Closes#2522.
* Improve documentation of `persistent_client_expiration` option.
Closes#2404.
* Add clients to session expiry check list when restarting and reloading from
persistence. Closes#2546.
* Fix bridges not sending failure notification messages to the local broker if
the remote bridge connection fails. Closes#2467. Closes#1488.
* Fix some PUBLISH messages not being counted in $SYS stats. Closes#2448.
* Fix incorrect return code being sent in DISCONNECT when a client session is
taken over. Closes#2607.
* Fix confusing "out of memory" error when a client is kicked in the dynamic
security plugin. Closes#2525.
* Fix confusing error message when dynamic security config file was a
directory. Closes#2520.
* Fix bridge queued messages not being persisted when local_cleansession is
set to false and cleansession is set to true. Closes#2604.
* Dynamic security: Fix modifyClient and modifyGroup commands to not modify
OBS-URL: https://build.opensuse.org/request/show/998717
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=61
- Update to version 2.0.13
Broker:
* Fix `max_keepalive` option not being able to be set to 0.
* Fix LWT messages not being delivered if `per_listener_settings`
was set to true.
* Various fixes around inflight quota management.
* Fix problem parsing config files with Windows line endings.
* Don't send retained messages when a shared subscription is made
* Fix client id not showing in log on failed connections, where
possible.
* Fix broker sending duplicate CONNACK on failed MQTT v5
reauthentication.
* Fix mosquitto_plugin.h not including mosquitto_broker.h.
Client library:
* Initialise sockpairR/W to invalid in `mosquitto_reinitialise()`
to avoid closing invalid sockets in `mosquitto_destroy()` on
error.
Clients:
- Fix date format in mosquitto_sub output.
OBS-URL: https://build.opensuse.org/request/show/928017
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=59
- Update to version 2.0.12
* Includes security fixes for
CVE-2021-34434 (bsc#1190048) and CVE-2020-13849 (bsc#1190101)
Security :
* An MQTT v5 client connecting with a large number of
user-property properties could cause excessive CPU usage,
leading to a loss of performance and possible denial of
service. This has been fixed.
* Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1
connections. These clients are now rejected if their keepalive
value exceeds max_keepalive. This option allows CVE-2020-13849,
which is for the MQTT v3.1.1 protocol itself rather than an
implementation, to be addressed.
* Using certain listener related configuration options e.g.
`cafile`, that apply to the default listener without defining
any listener would cause a remotely accessible listener to be
opened that was not confined to the local machine but did have
anonymous access enabled, contrary to the documentation.
This has been fixed. Closes#2283.
* CVE-2021-34434: If a plugin had granted ACL subscription access
to a durable/non-clean-session client, then removed that
access,the client would keep its existing subscription. This
has been fixed.
* Incoming QoS 2 messages that had not completed the QoS flow
were not being checked for ACL access when a clean
session=False client was reconnecting. This has been fixed.
Broker:
* Fix possible out of bounds memory reads when reading a
corrupt/crafted configuration file. Unless your configuration
file is writable by untrusted users this is not a risk.
OBS-URL: https://build.opensuse.org/request/show/917167
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=58
- Update to version 2.0.11
Security:
* If a MQTT v5 client connects with a crafted CONNECT packet a
memory leak will occur. This has been fixed.
Broker:
* Fix possible crash having just upgraded from 1.6 if
`per_listener_settings true` is set, and a SIGHUP is sent to
the broker before a client has reconnected to the broker.
* Fix bridge not reconnectng if the first reconnection attempt
fails.
* Improve QoS 0 outgoing packet queueing.
* Fix QoS 0 messages not being queued when `queue_qos0_messages`
was enabled.
Clients:
* If sending mosquitto_sub output to a pipe, mosquitto_sub will
now detect that the pipe has closed and disconnect.
* Fix `mosquitto_pub -l` quitting if a message publication is
attempted when the broker is temporarily unavailable.
- Remove not longer needed patch:
* fix-undefined-symbols-in-plugins.patch (fixed upstream)
OBS-URL: https://build.opensuse.org/request/show/898869
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=55
- Update to version 2.0.10
Security:
* CVE-2021-28166: If an authenticated client connected with
MQTT v5 sent a malformed CONNACK message to the broker a NULL
pointer dereference occurred, most likely resulting in a
segfault. This will be updated with the CVE number when it is
assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.
Broker:
* Don't over write new receive-maximum if a v5 client connects
and takes over an old session.
* Fix CVE-2021-28166. Closes#2163.
Clients:
* Set `receive-maximum` to not exceed the `-C` message count in
mosquitto_sub and mosquitto_rr, to avoid potentially lost
messages.
* Fix TLS-PSK mode not working with port 8883.
Client library:
* Fix possible socket leak. This would occur if a client was
using `mosquitto_loop_start()`, then if the connection failed
due to the remote server being inaccessible they called
`mosquitto_loop_stop(, true)` and recreated the mosquitto
object.
Build:
* A variety of minor build related fixes, like functions not
having previous declarations.
OBS-URL: https://build.opensuse.org/request/show/883684
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=53
- Build with support for tcp-wrapper (-DUSE_LIBWRAP=ON)
- Update to version 2.0.9
Security:
* If an empty or invalid CA file was provided to the client
library for verifying the remote broker, then the initialx
connection would fail but subsequent connections would succeed
without verifying the remote broker certificate.
* If an empty or invalid CA file was provided to the broker for
verifying the remote broker for an outgoing bridge connection
then the initial connection would fail but subsequent
connections would succeed without verifying the
remote broker certificate.
Broker:
* Fix encrypted bridge connections incorrectly connecting when
`bridge_cafile` is empty or invalid.
* Fix `tls_version` behaviour not matching documentation. It was
setting the exact TLS version to use, not the minimium TLS
version to use.
* Fix messages to `$` prefixed topics being rejected.
* Fix QoS 0 messages not being delivered when max_queued_bytes
was configured.
* Fix bridge increasing backoff calculation.
* Improve handling of invalid combinations of listener address
and bind interface configurations.
* Fix `max_keepalive` option not applying to clients connecting
with keepalive set to 0.
Client library:
* Fix encrypted connections incorrectly connecting when the CA
file passed to `mosquitto_tls_set()` is empty or invalid.
* Fix connections retrying very rapidly in some situations.
OBS-URL: https://build.opensuse.org/request/show/878570
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=51
pkgconfig(): libcares, libcjson, libwebsockets
- Fix linking of modules:
- Add fix-undefined-symbols-in-plugins.patch
- revert old workaround of settings -DCMAKE_SHARED_LINKER_FLAGS=
- Update mosquitto-1.6.8-config.patch:
Set a short profilename for a cleaner ps aufxZ output
- Refreshed mosquitto-1.6.8-config.patch to apply cleanly again
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=50
- Update to version 2.0.8
Broker:
* Fix incorrect datatypes in `struct mosquitto_evt_tick`. This
changes the size and offset of two of the members of this
struct, and changes the size of the struct. This is an ABI
break, but is considered to be acceptable because plugins
should never be allocating their own instance of this struct,
and currently none of the struct members are used for anything,
so a plugin should not be accessing them. It would also be
safe to read/write from the existing struct parameters.
* Give compile time warning if libwebsockets compiled without
external poll support.
Client library:
* Fix mosquitto_{pub|sub}_topic_check() functions not returning
MOSQ_ERR_INVAL on topic == NULL.
Clients:
* Fix possible loss of data in `mosquitto_pub -l` when sending
multiple long lines.
OBS-URL: https://build.opensuse.org/request/show/875783
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=49
- Update to version 2.0.7
Broker:
* Fix some minor memory leaks on exit only.
* Fix possible memory leak on connect.
* Fix openssl engine not being able to load private key.
Clients:
* Fix config files truncating options after the first space.
Build:
- Fix man page building to not absolutely require xsltproc when
using CMake.
- Update to version 2.0.6
Broker:
* Fix calculation of remaining length parameter for websockets
clients that send fragmented packets.
Broker:
* Fix potential duplicate Will messages being sent when a will
delay interval has been set.
* Fix message expiry interval property not being honoured in
`mosquitto_broker_publish` and `mosquitto_broker_publish_copy`.
* Fix websockets listeners with TLS not responding.
* Improve logging in obscure cases when a client disconnects.
* Fix reloading of listeners where multiple listeners have been
defined with the same port but different bind addresses.
* Fix `message_size_limit` not applying to the Will payload.
* The error topic-alias-invalid was being sent if an MQTT v5
client published a message with empty topic and topic alias
set, but the topic alias hadn't already been configured on
the broker. This has been fixed to send a protocol error, as
per section 3.3.4 of the specification.
* Note in the man pages that SIGHUP reloads TLS certificates.
OBS-URL: https://build.opensuse.org/request/show/870017
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=48
- Update to version 2.0.4
Broker:
* Fix $SYS/broker/publish/messages/+ counters not being updated
for QoS 1, 2 messages.
* mosquitto_connect_bind_async() and mosquitto_connect_bind_v5()
should not reset the bind address option if called with
bind_address == NULL.
* Add more log messages for dynsec load/save error conditions.
Build:
* Fix man pages not being built when using CMake.
- Update to version 2.0.3
Security:
* Running mosquitto_passwd with the following arguments only
`mosquitto_passwd -b password_file username password` would
cause the username to be used as the password.
Broker:
* Fix LWT not being sent on client takeover when the existing
session wasn't being continued.
* Fix bridges possibly not completing connections when WITH_ADNS
is in use.
* Fix QoS 0 messages not being delivered if max_queued_messages
was set to 0.
* Fix local bridges being disconnected on SIGHUP.
* Fix slow initial bridge connections for WITH_ADNS=no.
* Fix persistence_location not appending a '/'.
Clients:
* Fix mosquitto_sub being unable to terminate with Ctrl-C if a
successful connection is not made.
Apps:
* Fix `mosquitto_passwd -b` using username as password (not if
OBS-URL: https://build.opensuse.org/request/show/858370
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=47
- Update to version 2.0.2
Broker:
* Fix DH group not being set for TLS connections, which meant
ciphers using DHE couldn't be used.
* Fix websockets listeners not causing the main loop not to
wake up.
Client library:
* Fix DH group not being set for TLS connections, which meant
ciphers using DHE couldn't be used.
Apps:
* Fix "mosquitto_passwd -U"
Build:
- Fix cjson include paths.
- Fix build using WITH_TLS=no when the openssl headers aren't
available.
- Distribute cmake/ and snap/ directories in tar.
- Drop patch:
* mosquitto-fix-cmake-cjson-detection.patch
- Update to version 2.0.0
!!! Mosquitto 2.0 introduces a number of changes to the
behaviour of the broker. See the following document for details
https://mosquitto.org/documentation/migrating-to-2-0/
Noteworthy changes
* Mosquitto is now more secure by default and requires users to
take an active decision in how they configure security on
their broker, instead of possibly relying on the older very
permissive behaviour, as well as dropping privileged access
more quickly
* A new plugin interface has been introduced which goes beyond
OBS-URL: https://build.opensuse.org/request/show/855502
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=46
- Update to version 1.6.12
Security:
* In some circumstances, Mosquitto could leak memory when
handling PUBLISH messages. This is limited to incoming QoS 2
messages, and is related to the combination of the broker
having persistence enabled, a clean session=false client,
which was connected prior to the broker restarting, then has
reconnected and has now sent messages at a sufficiently high
rate that the incoming queue at the broker has filled up and
hence messages are being dropped. This is more likely to have
an effect where max_queued_messages is a small value.
This has now been fixed. Closes#1793.
Broker:
* Build warning fixes when building with WITH_BRIDGE=no and
WITH_TLS=no.
Clients:
* All clients exit with an error exit code on CONNACK failure.
* Don't busy loop with `mosquitto_pub -l` on a slow connection.
OBS-URL: https://build.opensuse.org/request/show/827943
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=44
- Update to version 1.6.11
Broker:
* Fix usage message only mentioning v3.1.1.
* Fix broker refusing to start if only websockets listeners
were defined.
* Change systemd unit files to create /var/log/mosquitto before
starting.
* Don't quit with an error if opening the log file isn't
possible.
* Fix bridge topic remapping when using "" as the topic.
* Fix messages being queued for disconnected bridges when clean
start was set to true.
* Fix `autosave_interval` not being triggered by messages being
delivered.
* Fix websockets clients sometimes not being disconnected
promptly.
* Fix "slow" file based logging by switching to line based
buffering.
* Log protocol error message where appropriate from a bad
UNSUBSCRIBE, rather than the generic "socket error".
* Don't try to start DLT logging if DLT unavailable, to avoid a
long delay when shutting down the broker.
* Fix potential memory leaks.
* Fix clients not receiving messages after a previous client
with the same client ID and positive will delay interval quit.
* Fix overly broad HAVE_PTHREAD_CANCEL compile guard.
Client library:
* Improved documentation around connect callback return codes.
* Fix `mosquitto_publish*()` no longer returning
`MOSQ_ERR_NO_CONN` when not connected.
OBS-URL: https://build.opensuse.org/request/show/825827
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=42
- Update to version 1.6.10
Broker:
* Report invalid bridge prefix+pattern combinations at config
parsing time rather than letting the bridge fail later.
* Fix `mosquitto_passwd -b` not updating passwords for existing
users correctly. Creating a new user with `-b` worked without
problem.
* Fix memory leak when connecting clients rejected.
* Don't disconnect clients that are already disconnected. This
prevents the session expiry being extended on SIGHUP.
* Fix support for openssl 3.0.
* Fix check when loading persistence file of a different version
than the native version.
* Fix possible assert crash associated with bridge reconnecting
when compiled without epoll support.
Client library:
* Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a
fatal error.
* Fix support for openssl 3.0.
* Fix memory leaks from multiple calls to
`mosquitto_lib_init()`/`mosquitto_lib_cleanup()`.
* Fix documentation on return code of `mosquitto_lib_init()`
for Windows.
Clients:
* Fix mosquitto_sub %j or %J not working on Windows.
Build:
* Various fixes for building with <C99 support.
OBS-URL: https://build.opensuse.org/request/show/808910
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=37
- Update to version 1.6.9
Broker:
* Fix session expiry with very large expiry intervals.
* Check ACL patterns for validity when loading.
* Use presence of password file as indicator for whether username
checks should take place, not whether usernames are defined in
the password file.
* Strip whitespace from end of config file string options.
* Satisfy valgrind when exiting on error due to not being able
to open a listening socket, by calling freeaddrinfo.
* Fix config->user not being freed on exit.
* Fix trailing whitespace not being trimmed on acl users.
* Fix `bind_interface` not working for the default listener.
* Improve password file parsing in the broker and mosqitto_passwd.
* Print OpenSSL errors in more situations, like when loading
certificates fails.
* Fix `mosquitto_client_protocol() returning incorrect values.
Client library:
* Set minimum keepalive argument to `mosquitto_connect*()` to be
5 seconds.
* Fix `mosquitto_topic_matches_sub()` not returning
MOSQ_ERR_INVAL if the topic contains a wildcard.
Clients:
* Fix `--remove-retained` not obeying the `-T` option for
filtering out topics.
* Default behaviour for v5 clients using `-c` is now to use
infinite length sessions, as with v3 clients.
OBS-URL: https://build.opensuse.org/request/show/780678
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=35
- Update to version 1.6.8
Broker:
* Various fixes for `allow_zero_length_clientid` config, where
this option was not being set correctly.
* Fix incorrect memory tracking causing problems with
memory_limit option.
* Fix subscription topics being limited to 200 characters instead
of 200 hierarchy levels.
* Only a single CRL could be loaded at once. This has been fixed.
* Fix problems with reloading config when `per_listener_settings`
was true.
* Fix retained messages with an expiry interval not being expired
after being restored from persistence.
* Fix messages with an expiry interval being sent without an
expiry interval property just before they were expired.
* Fix TLS Websockets clients not receiving messages after taking
over a previous connection.
* Fix MQTT 3.1.1 clients using clean session false, or MQTT 5.0
clients using session-expiry-interval set to infinity never
expiring, even when the global `persistent_client_expiration`
option was set.
Client library:
* Fix publish properties not being passed to on_message_v5
callback for QoS 2 messages.
* Fix documentation issues in mosquitto.h.
* Document `mosquitto_connect_srv()`.
Clients:
* Fix duplicate cfg definition in rr_client.
* Fix `mosquitto_pub -l` hang when stdin stream ends.
* Fix `mosquitto_pub -l` not sending the final line of stdin if
OBS-URL: https://build.opensuse.org/request/show/752489
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=30
