Marcus Rueckert
7a6ce37c8c
- Update to version 1.5.7
Broker:
- Ensure that an error occurs if `per_listener_settings true` is
given after other security options.
- Fix case where old unreferenced msg_store messages were being
saved to the persistence file, bloating its size unnecessarily.
Library:
- Fix `mosquitto_topic_matches_sub()` not returning MOSQ_ERR_INVAL
for invalid subscriptions like `topic/#abc`. This only affects
the return value, not the match/no match result, which was
already correct.
- Update to version 1.5.6
Security:
* Fix CVE-2018-12551 (bsc#1125021): If Mosquitto is configured to
use a password file for authentication, any malformed data in
the password file will be treated as valid. This typically means
that the malformed data becomes a username and no password.
If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In
particular, a blank line will be treated as a valid empty username.
Other security measures are unaffected. Users who have only used
the mosquitto_passwd utility to create and modify their password
files are unaffected by this vulnerability.
* Fix CVE-2018-12550 (bsc#1125021): If an ACL file is empty, or
has only blank lines or comments, then mosquitto treats the ACL
file as not being defined, which means that no topic access is
denied. Although denying access to all topics is not a useful
configuration, this behaviour is unexpected and could lead
to access being incorrectly granted in some circumstances. This
OBS-URL: https://build.opensuse.org/request/show/674913
OBS-URL: https://build.opensuse.org/package/show/network:messaging:mqtt/mosquitto?expand=0&rev=18