- Update to version 1.6.12
Security:
* In some circumstances, Mosquitto could leak memory when
handling PUBLISH messages. This is limited to incoming QoS 2
messages, and is related to the combination of the broker
having persistence enabled, a clean session=false client,
which was connected prior to the broker restarting, then has
reconnected and has now sent messages at a sufficiently high
rate that the incoming queue at the broker has filled up and
hence messages are being dropped. This is more likely to have
an effect where max_queued_messages is a small value.
This has now been fixed. Closes#1793.
Broker:
* Build warning fixes when building with WITH_BRIDGE=no and
WITH_TLS=no.
Clients:
* All clients exit with an error exit code on CONNACK failure.
* Don't busy loop with `mosquitto_pub -l` on a slow connection.
OBS-URL: https://build.opensuse.org/request/show/827943
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=44
- Update to version 1.6.11
Broker:
* Fix usage message only mentioning v3.1.1.
* Fix broker refusing to start if only websockets listeners
were defined.
* Change systemd unit files to create /var/log/mosquitto before
starting.
* Don't quit with an error if opening the log file isn't
possible.
* Fix bridge topic remapping when using "" as the topic.
* Fix messages being queued for disconnected bridges when clean
start was set to true.
* Fix `autosave_interval` not being triggered by messages being
delivered.
* Fix websockets clients sometimes not being disconnected
promptly.
* Fix "slow" file based logging by switching to line based
buffering.
* Log protocol error message where appropriate from a bad
UNSUBSCRIBE, rather than the generic "socket error".
* Don't try to start DLT logging if DLT unavailable, to avoid a
long delay when shutting down the broker.
* Fix potential memory leaks.
* Fix clients not receiving messages after a previous client
with the same client ID and positive will delay interval quit.
* Fix overly broad HAVE_PTHREAD_CANCEL compile guard.
Client library:
* Improved documentation around connect callback return codes.
* Fix `mosquitto_publish*()` no longer returning
`MOSQ_ERR_NO_CONN` when not connected.
OBS-URL: https://build.opensuse.org/request/show/825827
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=42
- Update to version 1.6.10
Broker:
* Report invalid bridge prefix+pattern combinations at config
parsing time rather than letting the bridge fail later.
* Fix `mosquitto_passwd -b` not updating passwords for existing
users correctly. Creating a new user with `-b` worked without
problem.
* Fix memory leak when connecting clients rejected.
* Don't disconnect clients that are already disconnected. This
prevents the session expiry being extended on SIGHUP.
* Fix support for openssl 3.0.
* Fix check when loading persistence file of a different version
than the native version.
* Fix possible assert crash associated with bridge reconnecting
when compiled without epoll support.
Client library:
* Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a
fatal error.
* Fix support for openssl 3.0.
* Fix memory leaks from multiple calls to
`mosquitto_lib_init()`/`mosquitto_lib_cleanup()`.
* Fix documentation on return code of `mosquitto_lib_init()`
for Windows.
Clients:
* Fix mosquitto_sub %j or %J not working on Windows.
Build:
* Various fixes for building with <C99 support.
OBS-URL: https://build.opensuse.org/request/show/808910
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=37
- Update to version 1.6.9
Broker:
* Fix session expiry with very large expiry intervals.
* Check ACL patterns for validity when loading.
* Use presence of password file as indicator for whether username
checks should take place, not whether usernames are defined in
the password file.
* Strip whitespace from end of config file string options.
* Satisfy valgrind when exiting on error due to not being able
to open a listening socket, by calling freeaddrinfo.
* Fix config->user not being freed on exit.
* Fix trailing whitespace not being trimmed on acl users.
* Fix `bind_interface` not working for the default listener.
* Improve password file parsing in the broker and mosqitto_passwd.
* Print OpenSSL errors in more situations, like when loading
certificates fails.
* Fix `mosquitto_client_protocol() returning incorrect values.
Client library:
* Set minimum keepalive argument to `mosquitto_connect*()` to be
5 seconds.
* Fix `mosquitto_topic_matches_sub()` not returning
MOSQ_ERR_INVAL if the topic contains a wildcard.
Clients:
* Fix `--remove-retained` not obeying the `-T` option for
filtering out topics.
* Default behaviour for v5 clients using `-c` is now to use
infinite length sessions, as with v3 clients.
OBS-URL: https://build.opensuse.org/request/show/780678
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=35
- Update to version 1.6.8
Broker:
* Various fixes for `allow_zero_length_clientid` config, where
this option was not being set correctly.
* Fix incorrect memory tracking causing problems with
memory_limit option.
* Fix subscription topics being limited to 200 characters instead
of 200 hierarchy levels.
* Only a single CRL could be loaded at once. This has been fixed.
* Fix problems with reloading config when `per_listener_settings`
was true.
* Fix retained messages with an expiry interval not being expired
after being restored from persistence.
* Fix messages with an expiry interval being sent without an
expiry interval property just before they were expired.
* Fix TLS Websockets clients not receiving messages after taking
over a previous connection.
* Fix MQTT 3.1.1 clients using clean session false, or MQTT 5.0
clients using session-expiry-interval set to infinity never
expiring, even when the global `persistent_client_expiration`
option was set.
Client library:
* Fix publish properties not being passed to on_message_v5
callback for QoS 2 messages.
* Fix documentation issues in mosquitto.h.
* Document `mosquitto_connect_srv()`.
Clients:
* Fix duplicate cfg definition in rr_client.
* Fix `mosquitto_pub -l` hang when stdin stream ends.
* Fix `mosquitto_pub -l` not sending the final line of stdin if
OBS-URL: https://build.opensuse.org/request/show/752489
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=30
- Update to version 1.6.7
Broker:
* Add workaround for working with libwebsockets 3.2.0.
* Fix potential crash when reloading config.
Client library:
* Don't use `/` in autogenerated client ids, to avoid confusing
with topics.
* Fix `mosquitto_max_inflight_messages_set()` and
`mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...)` behaviour.
* Fix regression on use of `mosquitto_connect_async()` not working.
Clients:
* mosquitto_sub: Fix `-E` incorrectly not working unless `-d` was
also specified.
* Updated documentation around automatic client ids.
OBS-URL: https://build.opensuse.org/request/show/733245
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=28
- Update to version 1.6.0
Broker features
* Add support for MQTT v5
* Add support for OCSP stapling.
* Add support for ALPN on bridge TLS connections.
* Add support for Automotive DLT logging.
* Add TLS Engine support.
* Persistence file read/write performance improvements.
* General performance improvements.
* Add max_keepalive option, to allow a maximum keepalive value to
be set for MQTT v5 clients only.
* Add bind_interface option which allows a listener to be bound to
a specific network interface, in a similar fashion to the
bind_address option. Linux only.
* Add improved bridge restart interval based on Decorrelated Jitter.
* Add dhparamfile option, to allow DH parameters to be loaded for
Ephemeral DH support
* Disallow writing to $ topics where appropriate.
* Add explicit support for TLS v1.3.
* Drop support for TLS v1.0.
* Improved general support for broker generated client ids.
Removed libuuid dependency.
* auto_id_prefix now defaults to 'auto-'.
* QoS 1 and 2 flow control improvements.
Client library features
* Add support for MQTT v5
* Add mosquitto_subscribe_multiple() for sending subscriptions to
multiple topics in one command.
* Add TLS Engine support.
* Add explicit support for TLS v1.3.
OBS-URL: https://build.opensuse.org/request/show/695487
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=22
- Update to version 1.5.8
Broker:
* Fix clients being disconnected when ACLs are in use. This only
affects the case where a client connects using a username, and
the anonymous ACL list is defined but specific user ACLs are
not defined.
* Fix delayed bridge local subscriptions causing missing messages.
Library:
* Use higher resolution timer for random initialisation of client
id generation.
* Fix some Coverity Scan reported errors that could occur when the
library was already quitting.
OBS-URL: https://build.opensuse.org/request/show/680305
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=21
- Update to version 1.5.7
Broker:
- Ensure that an error occurs if `per_listener_settings true` is
given after other security options.
- Fix case where old unreferenced msg_store messages were being
saved to the persistence file, bloating its size unnecessarily.
Library:
- Fix `mosquitto_topic_matches_sub()` not returning MOSQ_ERR_INVAL
for invalid subscriptions like `topic/#abc`. This only affects
the return value, not the match/no match result, which was
already correct.
- Update to version 1.5.6
Security:
* Fix CVE-2018-12551 (bsc#1125021): If Mosquitto is configured to
use a password file for authentication, any malformed data in
the password file will be treated as valid. This typically means
that the malformed data becomes a username and no password.
If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In
particular, a blank line will be treated as a valid empty username.
Other security measures are unaffected. Users who have only used
the mosquitto_passwd utility to create and modify their password
files are unaffected by this vulnerability.
* Fix CVE-2018-12550 (bsc#1125021): If an ACL file is empty, or
has only blank lines or comments, then mosquitto treats the ACL
file as not being defined, which means that no topic access is
denied. Although denying access to all topics is not a useful
configuration, this behaviour is unexpected and could lead
to access being incorrectly granted in some circumstances. This
OBS-URL: https://build.opensuse.org/request/show/674913
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=18
- FIX CVE-2018-20145: mosquitto: ACL bypass (bnc#1119536)
- Update to version 1.5.5
Security:
* If `per_listener_settings` is set to true, then the `acl_file` setting was
ignored for the "default listener" only. This has been fixed. This does not
affect any listeners defined with the `listener` option.
Broker:
* Add `socket_domain` option to allow listeners to disable IPv6 support.
This is required to work around a problem in libwebsockets that means
sockets only listen on IPv6 by default if IPv6 support is compiled in.
* When using ADNS, don't ask for all network protocols when connecting,
because this can lead to confusing "Protocol not supported" errors if the
network is down.
* Fix outgoing retained messages not being sent by bridges on initial
connection.
* Don't reload auth_opt_ options on reload, to match the behaviour of the
other plugin options.
* Print message on error when installing/uninstalling as a Windows service.
* All non-error connect/disconnect messages are controlled by the
`connection_messages` option.
Library:
* Fix reconnect delay backoff behaviour.
* Don't call on_disconnect() twice if keepalive tests fail.
Client:
* Always print leading zeros in mosquitto_sub when output format is hex.
Build:
* Fix building where TLS-PSK is not available.
- Update to version 1.5.4
Security:
* When using a TLS enabled websockets listener with "require_certificate"
OBS-URL: https://build.opensuse.org/request/show/658974
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=17
- Update to version 1.5.3
Security:
* Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.
Broker:
* Elevate log level to warning for situation when socket limit is hit.
* Fix retained messages not sent by bridges on outgoing topics at the first
connection.
* Fix duplicate clients being added to by_id hash before the old client was
removed.
- Update to version 1.5.2
Broker:
* Fix incorrect call to setsockopt() for TCP_NODELAY.
* Fix excessive CPU usage when the number of sockets exceeds the system limit.
* Fix round_robin false behaviour.
* Fix segfault on HUP when bridges and security options are configured.
Library:
* Fix situation where username and password is used with SOCKS5 proxy.
* Fix SOCKS5 behaviour when passing IP addresses.
OBS-URL: https://build.opensuse.org/request/show/644721
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=15
- Update to version 1.5.1
Broker:
* Fix plugin cleanup function not being called on exit of the broker.
* Print more OpenSSL errors when loading certificates/keys fail.
* Use AF_UNSPEC etc. instead of PF_UNSPEC to comply with POSIX.
* Remove use of AI_ADDRCONFIG, which means the broker can be used on systems
where only the loopback interface is defined.
* Fix IPv6 addresses not being able to be used as bridge addresses.
* All clients now time out if they exceed their keepalive*1.5, rather than
just reach it. This was inconsistent in two places.
* Fix segfault on startup if bridge CA certificates could not be read.
* Fix problem opening listeners on Pi caused by unsigned char being default.
* ACL patterns that do not contain either %c or %u now produce a warning in
the log.
* Fix bridge publishing failing when per_listener_settings was true.
* Fix `use_identity_as_username true` not working.
* Fix UNSUBACK messages not being logged.
* Fix possible endian issue when reading the `memory_limit` option.
* Fix building for libwebsockets < 1.6.
* Fix accessor functions for username and client id when used in plugin auth
check.
Library:
* Fix some places where return codes were incorrect, including to the
on_disconnect() callback. This has resulted in two new error codes,
MOSQ_ERR_KEEPALIVE and MOSQ_ERR_LOOKUP.
* Fix connection problems when mosquitto_loop_start() was called before
mosquitto_connect_async().
Clients:
OBS-URL: https://build.opensuse.org/request/show/630414
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=13
- Update to version 1.5
Security:
* Fix memory leak that could be caused by a malicious CONNECT packet. This
does not yet have a CVE assigned. Closes#533493 (on Eclipse bugtracker)
Broker features:
* Add per_listener_settings to allow authentication and access control to be
per listener.
* Add limited support for reloading listener settings. This allows settings
for an already defined listener to be reloaded, but port numbers must not be
changed.
* Add ability to deny access to SUBSCRIBE messages as well as the current
read/write accesses. Currently for auth plugins only.
* Reduce calls to malloc through the use of UHPA.
* Outgoing messages with QoS>1 are no longer retried after a timeout period.
Messages will be retried when a client reconnects. This change in behaviour
can be justified by considering when the timeout may have occurred.
+ If a connection is unreliable and has dropped, but without one end
noticing, the messages will be retried on reconnection. Sending
additional PUBLISH or PUBREL would not have changed anything.
+ If a client is overloaded/unable to respond/has a slow connection then
sending additional PUBLISH or PUBREL would not help the client catch
up. Once the backlog has cleared the client will respond. If it is not
able to catch up, sending additional duplicates would not help either.
* Add use_subject_as_username option for certificate based client
authentication to use the entire certificate subject as a username, rather
than just the CN. Closes#469467.
* Change sys tree printing output. This format shouldn't be relied upon and
may change at any time. Closes#470246.
* Minimum supported libwebsockets version is now 1.3.
OBS-URL: https://build.opensuse.org/request/show/604393
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=11
- Update to version 1.4.15
Security:
* Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more
file descriptors, then opening the configuration file will fail and security
settings will be set back to their default values.
* Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by
setting "remaining length" to be a large value. This is now mitigated by
limiting the size of remaining length to valid values. A "memory_limit"
configuration option has also been added to allow the overall memory used by
the broker to be limited.
Broker:
* Use constant time memcmp for password comparisons.
* Fix incorrect PSK key being used if it had leading zeroes.
* Fix memory leak if a client provided a username/password for a listener with
use_identity_as_username configured.
* Fix use_identity_as_username not working on websockets clients.
* Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on
a websockets client. Closes#490.
* Fix 08-ssl-bridge.py test when using async dns lookups. Closes#507.
* Lines in the config file are no longer limited to 1024 characters long.
Closes#652.
* Fix $SYS counters of messages and bytes sent when message is sent over
a Websockets. Closes#250.
* Fix upgrade_outgoing_qos for retained message. Closes#534.
* Fix CONNACK message not being sent for unauthorised connect on websockets.
Closes#8.
Client library:
* Fix incorrect PSK key being used if it had leading zeroes.
OBS-URL: https://build.opensuse.org/request/show/581738
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=9
- Update to 1.4.13
* Security:
- Fix CVE-2017-9868. The persistence file was readable
by all local users, potentially allowing sensitive
information to be leaked.
This can also be fixed administratively, by restricting
access to the directory in which the persistence file
is stored.
* Broker:
- Fix for poor websockets performance.
- Fix lazy bridges not timing out for idle_timeout.
- Fix problems with large retained messages over websockets.
- Set persistence file to only be readable by owner,
except on Windows.
- Fix CONNECT check for reserved=0, as per MQTT v3.1.1
check MQTT-3.1.2-3.
- When the broker stop, wills for any connected clients
are now "sent".
- Auth plugins can be configured to disable the check for +# in
usernames/client ids with the auth_plugin_deny_special_chars
option. Partially closes#462.
- Restrictions for CVE-2017-7650 have been relaxed - '/' is
allowed in usernames/client ids. Remainder of fix for #462.
Clients:
- Don't use / in auto-generated client ids.
OBS-URL: https://build.opensuse.org/request/show/508416
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=2
