UbuntuUpdates.org

Package "mosquitto"

Name: mosquitto

Description:

MQTT version 3.1/3.1.1 compatible message broker

Latest version: 1.4.8-1ubuntu0.16.04.7
Release: xenial (16.04)
Level: security
Repository: universe
Homepage: http://mosquitto.org/

Links


Download "mosquitto"


Other versions of "mosquitto" in Xenial

Repository Area Version
base universe 1.4.8-1build1
updates universe 1.4.8-1ubuntu0.16.04.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.4.8-1ubuntu0.16.04.2 2017-08-04 02:06:44 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.2) xenial-security; urgency=low

  * SECURITY UPDATE: Persistence file is world readable, which may expose
    sensitive data (LP: #1700490).
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to
      restrict persistence file read access to owner.
    - CVE-2017-9868

 -- <email address hidden> (Roger A. Light) Mon, 26 Jun 2017 09:31:02 +0100

Source diff to previous version
1700490 Persistence file is world readable
CVE-2017-9868 In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic infor

Version: 1.4.8-1ubuntu0.16.04.1 2017-05-31 08:06:38 UTC

  mosquitto (1.4.8-1ubuntu0.16.04.1) xenial-security; urgency=low

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-1.4.8_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- <email address hidden> (Roger A. Light) Tue, 23 May 2017 22:14:40 +0100

1692818 Mosquitto pattern ACLs can be circumvented with special client ids or usernames



About   -   Send Feedback to @ubuntu_updates