- Update to version 1.5
Security:
* Fix memory leak that could be caused by a malicious CONNECT packet. This
does not yet have a CVE assigned. Closes#533493 (on Eclipse bugtracker)
Broker features:
* Add per_listener_settings to allow authentication and access control to be
per listener.
* Add limited support for reloading listener settings. This allows settings
for an already defined listener to be reloaded, but port numbers must not be
changed.
* Add ability to deny access to SUBSCRIBE messages as well as the current
read/write accesses. Currently for auth plugins only.
* Reduce calls to malloc through the use of UHPA.
* Outgoing messages with QoS>1 are no longer retried after a timeout period.
Messages will be retried when a client reconnects. This change in behaviour
can be justified by considering when the timeout may have occurred.
+ If a connection is unreliable and has dropped, but without one end
noticing, the messages will be retried on reconnection. Sending
additional PUBLISH or PUBREL would not have changed anything.
+ If a client is overloaded/unable to respond/has a slow connection then
sending additional PUBLISH or PUBREL would not help the client catch
up. Once the backlog has cleared the client will respond. If it is not
able to catch up, sending additional duplicates would not help either.
* Add use_subject_as_username option for certificate based client
authentication to use the entire certificate subject as a username, rather
than just the CN. Closes#469467.
* Change sys tree printing output. This format shouldn't be relied upon and
may change at any time. Closes#470246.
* Minimum supported libwebsockets version is now 1.3.
OBS-URL: https://build.opensuse.org/request/show/604393
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=11
- Update to version 1.4.15
Security:
* Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more
file descriptors, then opening the configuration file will fail and security
settings will be set back to their default values.
* Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by
setting "remaining length" to be a large value. This is now mitigated by
limiting the size of remaining length to valid values. A "memory_limit"
configuration option has also been added to allow the overall memory used by
the broker to be limited.
Broker:
* Use constant time memcmp for password comparisons.
* Fix incorrect PSK key being used if it had leading zeroes.
* Fix memory leak if a client provided a username/password for a listener with
use_identity_as_username configured.
* Fix use_identity_as_username not working on websockets clients.
* Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on
a websockets client. Closes#490.
* Fix 08-ssl-bridge.py test when using async dns lookups. Closes#507.
* Lines in the config file are no longer limited to 1024 characters long.
Closes#652.
* Fix $SYS counters of messages and bytes sent when message is sent over
a Websockets. Closes#250.
* Fix upgrade_outgoing_qos for retained message. Closes#534.
* Fix CONNACK message not being sent for unauthorised connect on websockets.
Closes#8.
Client library:
* Fix incorrect PSK key being used if it had leading zeroes.
OBS-URL: https://build.opensuse.org/request/show/581738
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=9
- Update to 1.4.13
* Security:
- Fix CVE-2017-9868. The persistence file was readable
by all local users, potentially allowing sensitive
information to be leaked.
This can also be fixed administratively, by restricting
access to the directory in which the persistence file
is stored.
* Broker:
- Fix for poor websockets performance.
- Fix lazy bridges not timing out for idle_timeout.
- Fix problems with large retained messages over websockets.
- Set persistence file to only be readable by owner,
except on Windows.
- Fix CONNECT check for reserved=0, as per MQTT v3.1.1
check MQTT-3.1.2-3.
- When the broker stop, wills for any connected clients
are now "sent".
- Auth plugins can be configured to disable the check for +# in
usernames/client ids with the auth_plugin_deny_special_chars
option. Partially closes#462.
- Restrictions for CVE-2017-7650 have been relaxed - '/' is
allowed in usernames/client ids. Remainder of fix for #462.
Clients:
- Don't use / in auto-generated client ids.
OBS-URL: https://build.opensuse.org/request/show/508416
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=2
