mosquitto/mosquitto.changes

-------------------------------------------------------------------
Thu May  3 18:47:04 UTC 2018 - mardnh@gmx.de

- Update to version 1.5
  Security:
  * Fix memory leak that could be caused by a malicious CONNECT packet. This
    does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)
  
  Broker features:
  * Add per_listener_settings to allow authentication and access control to be
    per listener.
  * Add limited support for reloading listener settings. This allows settings
    for an already defined listener to be reloaded, but port numbers must not be
    changed.
  * Add ability to deny access to SUBSCRIBE messages as well as the current
    read/write accesses. Currently for auth plugins only.
  * Reduce calls to malloc through the use of UHPA.
  * Outgoing messages with QoS>1 are no longer retried after a timeout period.
    Messages will be retried when a client reconnects.  This change in behaviour
    can be justified by considering when the timeout may have occurred.
    + If a connection is unreliable and has dropped, but without one end
      noticing, the messages will be retried on reconnection. Sending
      additional PUBLISH or PUBREL would not have changed anything.
    + If a client is overloaded/unable to respond/has a slow connection then
      sending additional PUBLISH or PUBREL would not help the client catch
      up. Once the backlog has cleared the client will respond. If it is not
      able to catch up, sending additional duplicates would not help either.
  * Add use_subject_as_username option for certificate based client
    authentication to use the entire certificate subject as a username, rather
    than just the CN. Closes #469467.
  * Change sys tree printing output. This format shouldn't be relied upon and
    may change at any time. Closes #470246.
  * Minimum supported libwebsockets version is now 1.3.
  * Add systemd startup notification and services. Closes #471053.
  * Reduce unnecessary malloc and memcpy when receiving a message and storing
    it. Closes #470258.
  * Support for Windows XP has been dropped.
  * Bridge connections now default to using MQTT v3.1.1.
  * mosquitto_db_dump tool can now output some stats on clients.
  * Perform utf-8 validation on incoming will, subscription and unsubscription
    topics.
  * new $SYS/broker/store/messages/count (deprecates $SYS/broker/messages/stored)
  * new $SYS/broker/store/messages/bytes
  * max_queued_bytes feature to limit queues by real size rather than
    than just message count. Closes Eclipse #452919 or Github #100
  * Add support for bridges to be configured to only send notifications to the
    local broker.
  * Add set_tcp_nodelay option to allow Nagle's algorithm to be disabled on
    client sockets. Closes #433.
  * The behaviour of allow_anonymous has changed. In the old behaviour, the
    default if not set was to allow anonymous access. The new behaviour is to
    default is to allow anonymous access unless another security option is set.
    For example, if password_file is set and allow_anonymous is not set, then
    anonymous access will be denied. It is still possible to allow anonymous
    access by setting it explicitly.
  Broker fixes:
  * Fix UNSUBSCRIBE with no topic is accepted on MQTT 3.1.1. Closes #665.
  * Produce an error if two bridges share the same local_clientid.
  * Miscellaneous fixes on Windows.
  * queue_qos0_messages was not observing max_queued_** limits
  * When using the include_dir configuration option sort the files
    alphabetically before loading them.  Closes #17.
  * IPv6 is no longer disabled for websockets listeners.
  * Remove all build timestamp information including $SYS/broker/timestamp.
    Close #651.
  * Correctly handle incoming strings that contain a NULL byte. Closes #693.
  * Use constant time memcmp for password comparisons.
  * Fix incorrect PSK key being used if it had leading zeroes.
  * Fix memory leak if a client provided a username/password for a listener with
    use_identity_as_username configured.
  * Fix use_identity_as_username not working on websockets clients.
  * Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on
    a websockets client. Closes #490.
  * Fix 08-ssl-bridge.py test when using async dns lookups. Closes #507.
  * Lines in the config file are no longer limited to 1024 characters long.
    Closes #652.
  * Fix $SYS counters of messages and bytes sent when message is sent over
    a Websockets. Closes #250.
  * Fix upgrade_outgoing_qos for retained message. Closes #534.
  * Fix CONNACK message not being sent for unauthorised connect on websockets.
    Closes #8.
  * Maximum connections on Windows increased to 2048.
  * When a client with an in-use client-id connects, if the old client has a
    will, send the will message. Closes #26.
  * Fix parsing of configuration options that end with a space. Closes #804.
  
  Client library features:
  * Outgoing messages with QoS>1 are no longer retried after a timeout period.
    Messages will be retried when a client reconnects.
  * DNS-SRV support is now disabled by default.
  * Add mosquitto_subscribe_simple() This is a helper function to make
    retrieving messages from a broker very straightforward. Examples of its use
    are in examples/subscribe_simple.
  * Add mosquitto_subscribe_callback() This is a helper function to make
    processing messages from a broker very straightforward. An example of its use
    is in examples/subscribe_simple.
  * Connections now default to using MQTT v3.1.1.
  * Add mosquitto_validate_utf8() to check whether a string is valid UTF-8
    according to the UTF-8 spec and to the additional restrictions imposed by
    the MQTT spec.
  * Topic inputs are checked for UTF-8 validity.
  * Add mosquitto_userdata function to allow retrieving the client userdata
    member variable. Closes #111.
  * Add mosquitto_pub_topic_check2(), mosquitto_sub_topic_check2(), and
    mosquitto_topic_matches_sub2() which are identical to the similarly named
    functions but also take length arguments.
  * Add mosquitto_connect_with_flags_callback_set(), which allows a second
    connect callback to be used which also exposes the connect flags parameter.
    Closes #738 and #128.
  * Add MOSQ_OPT_SSL_CTX option to allow a user specified SSL_CTX to be used
    instead of the one generated by libmosquitto. This allows greater control
    over what options can be set. Closes #715.
  * Add MOSQ_OPT_SSL_CTX_WITH_DEFAULTS to work with MOSQ_OPT_SSL_CTX and have
    the default libmosquitto SSL_CTX configuration applied to the user provided
    SSL_CTX. Closes #567.
  
  Client library fixes:
  * Fix incorrect PSK key being used if it had leading zeroes.
  * Initialise "result" variable as soon as possible in
    mosquitto_topic_matches_sub. Closes #654.
  * No need to close socket again if setting non-blocking failed. Closes #649.
  * Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against
    foo/+/#. Closes #670.
  * SNI host support added.

  Client features:
  * Add -F to mosquitto_sub to allow the user to choose the output format.
  * Add -U to mosquitto_sub for unsubscribing from topics.
  * Add -c (clean session) to mosquitto_pub.
  * Add --retained-only to mosquitto_sub to exit after receiving all retained
    messages.
  * Add -W to allow mosquitto_sub to stop processing incoming messages after a
    timeout.
  * Connections now default to using MQTT v3.1.1.
  * Default to using port 8883 when using TLS.
  * mosquitto_sub doesn't continue to keep connecting if CONNACK tells it the
    connection was refused.
  
  Client fixes:
  * Correctly handle empty files with "mosquitto_pub -l". Closes #676.
  
  Build:
  * Add WITH_STRIP option (defaulting to "no") that when set to "yes" will strip
    executables and shared libraries when installing.
  * Add WITH_STATIC_LIBRARIES (defaulting to "no") that when set to "yes" will
    build and install static versions of the client libraries.
  * Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
  * Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are
    no longer supported by openssl.
  
  Documentation:
  * Replace mentions of deprecated 'c_rehash' with 'openssl rehash'.

- Remove patch:
  * mosquitto-1.4.12-use-SOURCE_DATE_EPOCH.patch (not longer needed)
- Support for tcp-wrapper is broken atm, disable for now


-------------------------------------------------------------------
Thu Mar  1 14:37:54 UTC 2018 - mardnh@gmx.de

- Update to version 1.4.15
  Security:
  * Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more
    file descriptors, then opening the configuration file will fail and security
    settings will be set back to their default values.
  * Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by
    setting "remaining length" to be a large value. This is now mitigated by
    limiting the size of remaining length to valid values. A "memory_limit"
    configuration option has also been added to allow the overall memory used by
    the broker to be limited.
  
  Broker:
  * Use constant time memcmp for password comparisons.
  * Fix incorrect PSK key being used if it had leading zeroes.
  * Fix memory leak if a client provided a username/password for a listener with
    use_identity_as_username configured.
  * Fix use_identity_as_username not working on websockets clients.
  * Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on
    a websockets client. Closes #490.
  * Fix 08-ssl-bridge.py test when using async dns lookups. Closes #507.
  * Lines in the config file are no longer limited to 1024 characters long.
    Closes #652.
  * Fix $SYS counters of messages and bytes sent when message is sent over
    a Websockets. Closes #250.
  * Fix upgrade_outgoing_qos for retained message. Closes #534.
  * Fix CONNACK message not being sent for unauthorised connect on websockets.
    Closes #8.
  
  Client library:
  * Fix incorrect PSK key being used if it had leading zeroes.
  * Initialise "result" variable as soon as possible in
    mosquitto_topic_matches_sub. Closes #654.
  * No need to close socket again if setting non-blocking failed. Closes #649.
  * Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against
    foo/+/#. Closes #670.
  
  Clients:
  * Correctly handle empty files with "mosquitto_pub -l". Closes #676.
  
  Build:
  * Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
-------------------------------------------------------------------
Mon Oct  2 10:57:39 UTC 2017 - mardnh@gmx.de

- Update to 1.4.14
  * Broker:
   -  Fix regression from 1.4.13 where persistence data was not
      being saved.

-------------------------------------------------------------------
Thu Sep  7 12:13:21 UTC 2017 - jengelh@inai.de

- Fix incorrect RPM groups.
- Remove repeated license declaration from description.
  Trim package descriptions for size.
- Errors from user creation must not be ignored.

-------------------------------------------------------------------
Fri Jul  7 18:33:53 UTC 2017 - antoine.belvire@opensuse.org

- Add mosquitto-1.4.12-use-SOURCE_DATE_EPOCH.patch: Determine build
  timestamp from latest revision of .changes file in order to make
  the build reproducible and avoid useless republishing.

-------------------------------------------------------------------
Wed Jul  5 20:35:17 UTC 2017 - mardnh@gmx.de

- Update to 1.4.13
  * Security:
    - Fix CVE-2017-9868. The persistence file was readable
      by all local users, potentially allowing sensitive
      information to be leaked.
      This can also be fixed administratively, by restricting
      access to the directory in which the persistence file
      is stored.
  
  * Broker:
    - Fix for poor websockets performance.
    - Fix lazy bridges not timing out for idle_timeout.
    - Fix problems with large retained messages over websockets.
    - Set persistence file to only be readable by owner,
      except on Windows.
    - Fix CONNECT check for reserved=0, as per MQTT v3.1.1
      check MQTT-3.1.2-3.
    - When the broker stop, wills for any connected clients
      are now "sent".
    - Auth plugins can be configured to disable the check for +# in
      usernames/client ids with the auth_plugin_deny_special_chars
      option.  Partially closes #462.
    - Restrictions for CVE-2017-7650 have been relaxed - '/' is
      allowed in usernames/client ids. Remainder of fix for #462.
  
  Clients:
    - Don't use / in auto-generated client ids.

-------------------------------------------------------------------
Mon May 29 20:19:58 UTC 2017 - mardnh@gmx.de

- Update to 1.4.12
  * Security:
    - Fix CVE-2017-7650, which allows clients with username or
      client id set to '#' or '+' to bypass pattern based ACLs or
      third party plugins. The fix denies message sending or
      receiving of messages for clients with a '#' or '+' in their
      username or client id and if the message is subject to a
      pattern ACL check or plugin check.
  * Broker:
    - Fix mosquitto.db from becoming corrupted due to client
      messages being
      persisted with no stored message. Closes #424.
    - Fix bridge not restarting properly. Closes #428.
    - Fix unitialized memory in gets_quiet on Windows. Closes #426.
    - Fix building with WITH_ADNS=no for systems that don't use
      glibc. Closes #415.
    - Fixes to readme.md.
    - Fix deprecation warning for OpenSSL 1.1. PR #416.
    - Don't segfault on duplicate bridge names. Closes #446.
    - Fix CVE-2017-7650.

-------------------------------------------------------------------
Sun Mar 19 20:27:12 UTC 2017 - mrueckert@suse.de

- update to 1.4.11
  - Broker:
    - Fix crash when "lazy" type bridge attempts to reconnect.
      Closes #259.
    - maximum_connections now applies to websockets listeners.
      Closes #271.
    - Allow bridges to use TLS with IPv6.
    - Don't error on zero length persistence files. Closes #316.
    - For http only websockets clients, close files served over
      http in all cases when the client disconnects. Closes #354.
    - Fix error message when websockets http_dir directory does not
      exist.
    - Improve password utility error message. Closes #379.
  - Clients:
    - Use of --ciphers no longer requires you to also pass
      --tls-version.  Closes #380.
  - Client library:
    - Clients can now use TLS with IPv6.
    - Fix potential socket leakage when reconnecting. Closes #304.
    - Fix potential negative timeout being passed to pselect.
      Closes #329.
- update 1.4.10
  - Broker:
    - Fix TLS operation with websockets listeners and libwebsockts
      2.x. Closes #186.
    - Don't disconnect client on HUP before reading the pending
      data. Closes #7.
    - Fix some $SYS messages being incorrectly persisted. Closes
      #191.
    - Support OpenSSL 1.1.0.
    - Call fsync after persisting data to ensure it is correctly
      written. Closes #189.
    - Fix persistence saving of subscription QoS on big-endian
      machines.
    - Fix will retained flag handling on Windows. Closes #222.
    - Broker now displays an error if it is unable to open the log
      file. Closes #234.
  - Client library:
    - Support OpenSSL 1.1.0.
    - Fixed the C++ library not allowing SOCKS support to be used.
      Closes #198.
    - Fix memory leak when verifying a server certificate with a
      subjectAltName section. Closes #237.
  - Build:
    - Don't attempt to install docs when WITH_DOCS=no. Closes #184.

-------------------------------------------------------------------
Tue Jun 28 00:28:53 UTC 2016 - mrueckert@suse.de

- update to 1.4.9
  - Broker:
    - Ensure websockets clients that previously connected with
      clean session set to false have their queued messages
      delivered immediately on reconnecting.  Closes #476314.
    - Reconnecting client with clean session set to false doesn't
      start with mid=1 again.
    - Will topic isn't truncated by one byte when using a
      mount_point any more.
    - Network errors are printed correctly on Windows.
    - Fix incorrect $SYS heap memory reporting when using ACLs.
    - Bridge config parameters couldn't contain a space, this has
      been fixed.  Closes #150.
    - Fix saving of persistence messages that start with a '/'.
      Closes #151.
    - Fix reconnecting for bridges that use TLS on Windows. Closes
      #154.
    - Broker and bridges can now cope with unknown incoming PUBACK,
      PUBREC, PUBREL, PUBCOMP without disconnecting. Closes #57.
    - Fix websockets listeners not being able to bind to an IP
      address. Closes #170.
    - mosquitto_passwd utility now correctly deals with unknown
      command line arguments in all cases. Closes #169.
    - Fix publishing of $SYS/broker/clients/maximum
    - Fix order of #includes in lib/send_mosq.c to ensure struct
      mosquitto doesn't differ between source files when websockets
      is being used. Closes #180.
    - Fix possible rare crash when writing out persistence file and
      a client has incomplete messages inflight that it has been
      denied the right to publish.
  - Client library:
    - Fix the case where a message received just before the
      keepalive timer expired would cause the client to miss the
      keepalive timer.
    - Return value of pthread_create is now checked.
    - _mosquitto_destroy should not cancel threads that weren't
      created by libmosquitto. Closes #166.
    - Clients can now cope with unknown incoming PUBACK, PUBREC,
      PUBREL, PUBCOMP without disconnecting. Closes #57.
    - Fix mosquitto_topic_matches_sub() reporting matches on some
      invalid subscriptions.
  - Clients:
    - Handle some unchecked malloc() calls. Closes #1.
  - Build:
    - Fix string quoting in CMakeLists.txt. Closes #4.
    - Fix building on Visual Studio 2015. Closes #136.

-------------------------------------------------------------------
Mon Mar 28 01:26:44 UTC 2016 - mrueckert@suse.de

- update to 1.4.8
  - Broker:
    - Wills published by clients connected to a listener with
      mount_point defined now correctly obey the mount point. This
      was a potential security risk because it allowed clients to
      publish messages outside of their restricted mount point.
      This is only affects brokers where the mount_point option is
      in use. Closes #487178.
    - Fix detection of broken connections on Windows.
      Closes #485143.
    - Close stdin etc. when daemonised. Closes #485589.
    - Fix incorrect detection of FreeBSD and OpenBSD.
      Closes #485131.
  - Client library:
    - mosq->want_write should be cleared immediately before a call
      to SSL_write, to allow clients using mosquitto_want_write()
      to get accurate results.

-------------------------------------------------------------------
Thu Feb 11 01:00:18 UTC 2016 - mrueckert@suse.de

- update to 1.4.7
  - Broker:
    - Fix support for libwebsockets 1.22.
- changes from 1.4.6
  - Broker:
    - Add support for libwebsockets 1.6.
  - Client library:
    - Fix _mosquitto_socketpair() on Windows, reducing the chance
      of delays when publishing. Closes #483979.
  - Clients:
    - Fix "mosquitto_pub -l" stripping the final character on a
      line. Closes #483981.

-------------------------------------------------------------------
Wed Dec  9 17:11:00 UTC 2015 - mrueckert@suse.de

- enable websocket supports

-------------------------------------------------------------------
Wed Dec  9 17:00:02 UTC 2015 - mrueckert@suse.de

- enabled tcp wrapper support

-------------------------------------------------------------------
Wed Dec  9 16:04:49 UTC 2015 - mrueckert@suse.de

- pass the config file in the service file. it does not load it
  otherwise.

-------------------------------------------------------------------
Mon Dec  7 17:05:42 UTC 2015 - mrueckert@suse.de

- update to 1.4.5
  - Broker
    - Fix possible memory leak if bridge using SSL attempts to
      connect to a host that is not up.
    - Free unused topic tree elements (fix in 1.4.3 was
      incomplete). Closes #468987.
  - Clients
    - “mosquitto_pub -l” now no longer limited to 1024 byte lines.
      Closes #478917.

-------------------------------------------------------------------
Fri Nov  6 22:46:19 UTC 2015 - mrueckert@suse.de

- update to 1.4.4
  - Broker:
    - Don't leak sockets when outgoing bridge with multiple
      addresses cannot connect. Closes #477571.
    - Fix cross compiling of websockets. Closes #475807.
    - Fix memory free related crashes on openwrt. Closes #475707.
    - Fix excessive calls to message retry check.

-------------------------------------------------------------------
Thu Sep 10 15:21:38 UTC 2015 - mrueckert@suse.de

- update to 1.4.3
  - Broker
    - Fix incorrect bridge notification on initial connection.
      Closes #467096.
    - Build fixes for OpenBSD.
    - Fix incorrect behaviour for autosave_interval, most noticable
      for autosave_interval=1. Closes #465438.
    - Fix handling of outgoing QoS>0 messages for bridges that
      could not be sent because the bridge connection was down.
    - Free unused topic tree elements. Closes #468987.
    - Fix some potential memory leaks. Closes #470253.
    - Fix potential crash on libwebsockets error.
  - Client library
    - Add missing error strings to mosquitto_strerror.
    - Handle fragmented TLS packets without a delay. Closes
      #470660.
    - Fix incorrect loop timeout being chosen when using threaded
    - interface and keepalive = 0. Closes #471334.
    - Increment inflight messages count correctly. Closes #474935.
  - Clients
    - Report error string on connection failure rather than error
      code.

-------------------------------------------------------------------
Fri May  8 14:59:17 UTC 2015 - mrueckert@suse.de

- update to 1.4.2
  Broker:
  - Fix bridge prefixes only working for the first outgoing
    message. Closes #464437.
  - Fix incorrect bridge connection notifications on local broker.
  - Fix persistent db writing on Windows. Closes #464779.
  - ACLs are now checked before sending a will message.
  - Fix possible crash when using bridges on Windows. Closes
    #465384.
  - Fix parsing of auth_opt_ arguments with extra spaces/tabs.
  - Broker will return CONNACK rc=5 when a username/password is not
    authorised.  This was being incorrectly set as rc=4.
  - Fix handling of payload lengths>4096 with websockets.
  Client library:
  - Inflight message count wasn't being decreased for outgoing
    messages using QoS 2, meaning that only up to 20 QoS 2 messages
    could be sent. This has been fixed. Closes #464436.
  - Fix CMake dependencies for C++ wrapper building. Closes
    #463884.
  - Fix possibility of select() being called with a socket that is
    >FD_SETSIZE.  This is a fix for #464632 that will be followed
    >up by removing the select() call in a future version.
  - Fix calls to mosquitto_connect*_async() not completing.

-------------------------------------------------------------------
Fri May  1 22:28:20 UTC 2015 - mrueckert@suse.de

- added mosquitto-1.4.1_apparmor.patch to make the profile work in
  newer apparmor

-------------------------------------------------------------------
Fri May  1 22:06:15 UTC 2015 - mrueckert@suse.de

- merge a few things from the other packages
  - create dir structure in the config dir + readmes
  - splitout the client
  - provide the splitted devel package names
  - install the apparmor profile
  - install firewall config

-------------------------------------------------------------------
Fri May  1 20:34:01 UTC 2015 - mrueckert@suse.de

- initial package