mosquitto (1.4.15-2ubuntu0.18.04.3) bionic-security; urgency=medium * SECURITY UPDATE: DoS (client disconnect) via invalid UTF-8 strings - debian/patches/add-validate-utf8.patch: Add validate UTF-8 - debian/patches/CVE-2017-7653.patch: Add UTF-8 tests, plus some validation fixes - CVE-2017-7653 * SECURITY UPDATE: Memory leak in the Mosquitto Broker allows unauthenticated clients to send crafted CONNECT packets which could cause DoS - debian/patches/CVE-2017-7654.patch: Fix memory leak that could be caused by a malicious CONNECT packet - CVE-2017-7654 -- Eduardo Barretto Tue, 18 Jun 2019 11:42:22 -0300 mosquitto (1.4.15-2ubuntu0.18.04.2) bionic-security; urgency=medium * Fix regression in update for CVE-2018-12546. -- Roger A. Light Wed, 13 Feb 2019 00:27:01 +0000 mosquitto (1.4.15-2ubuntu0.18.04.1) bionic-security; urgency=medium * SECURITY UPDATE: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces more stringent parsing tests on the password file data. - CVE-2018-12551 * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures that if an ACL file is defined but no rules are defined, then access will be denied. - CVE-2018-12550 * SECURITY UPDATE: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option `check_retain_source` has been introduced to enforce checking of the retained message source on publish. - debian/patches/mosquitto-1.4.15-cve-2018-12546.patch: this patch stores the originator of the retained message, so security checking can be carried out before re-publishing. The complexity of the patch is due to the need to save this information across broker restarts. - CVE-2018-12546 -- Roger A. Light Wed, 06 Feb 2019 17:03:31 +0000 mosquitto (1.4.15-2) unstable; urgency=low * Replace mentions of 'c_rehash' with 'openssl rehash'. (Closes: #895084). -- Roger A. Light Sat, 07 Apr 2018 11:16:43 +0100 mosquitto (1.4.15-1) unstable; urgency=high * SECURITY UPDATE: If a SIGHUP is sent to the broker when there are no more file descriptors, then opening the configuration file will fail and security settings will be set back to their default values. - debian/patches/mosquitto-1.4.10_cve-2017-7652.patch: When reloading configuration, do this into a separate config struct. If nothing fails, then copy the new config over the old config. - CVE-2017-7652 * SECURITY UPDATE: Unauthenticated clients can cause excessive memory usage. This has the potential to lead to an OOM situation and the broker being killed by the system. - debian/patches/mosquitto-1.4.10_cve-2017-7652.patch: Limit the maximum size of CONNECT packet to a reasonable value, and add "memory_limit" option to set the maximum memory the broker will use. - CVE-2017-7651 * New upstream release. * Remove upstart support, which had accidently been reinstated in 1.4.14-2. * Bumped standards version to 4.1.3, no changes required. * Fix global-files-wildcard-not-first-paragraph-in-dep5-copyright. -- Roger A. Light Wed, 28 Feb 2018 11:29:47 +0000 mosquitto (1.4.14-2) unstable; urgency=low * Fix lintian error "build-depends-on-obsolete-package" * Fix lintian warning "extended-description-line-too-long" * The 1.4.14 release relaxes the restrictions on client ids, which means that the mosquitto_pub/sub autogenerated ids are no longer a problem. (closes: #870165). -- Roger A. Light Tue, 26 Dec 2017 22:03:57 +0000 mosquitto (1.4.14-1) unstable; urgency=medium * SECURITY UPDATE: Persistence file is world readable, which may expose sensitive data. Fixed by upstream release 1.4.13. - CVE-2017-9868 * New upstream release. * Remove upstart support. * Bumped standards version to 4.1.2. - Removed invoke-rc.d conditionals. - Changed "extra" priorities to "optional". * Build-Depends: Add dh-systemd, bump libwebsockets to >=2.0. * no-man-clean.patch - don't clean man pages from source directory. * async_dns.patch - enable bridge async DNS lookups. -- Roger A. Light Fri, 22 Dec 2017 07:14:19 +0000 mosquitto (1.4.12-1) experimental; urgency=low * New upstream release. -- Roger A. Light Mon, 29 May 2017 14:56:32 +0100 mosquitto (1.4.10-3) unstable; urgency=high * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#'. - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make IPv6 connections when using TLS (closes: #857759). -- Roger A. Light Mon, 29 May 2017 13:43:29 +0100 mosquitto (1.4.10-2) unstable; urgency=medium * Bumped standards version to 3.9.8. No changes needed. * Bumped dh compat level to 10. * Vcs-* links updated. -- Roger A. Light Thu, 03 Nov 2016 22:37:33 +0000 mosquitto (1.4.10-1) unstable; urgency=low * New upstream release. * Add support for openssl 1.1.0 (closes: #828442) * Fix FTBFS on Hurd (closes: #824571) -- Roger A. Light Thu, 27 Oct 2016 14:01:40 +0100 mosquitto (1.4.8-1) unstable; urgency=high * New upstream release. * apparmor is now "suggests" instead of "depends". -- Roger A. Light Sun, 14 Feb 2016 15:06:55 +0000 mosquitto (1.4.7-1) unstable; urgency=low * New upstream release. Includes support for libwebsockets 1.6. * Add dependency link between libmosquittopp-dev and libmosquitto-dev (closes: #805506). * Dropped misc:Pre-Depends line for libmosquitto1. See #783898. * libc-ares2 Depends is handled by shlib:Depends for libmosquitto1. -- Roger A. Light Mon, 21 Dec 2015 10:59:31 +0000 mosquitto (1.4.4-1) unstable; urgency=low * New upstream release. * Fix Vcs link. * Note that libs & clients also support MQTT v3.1.1. -- Roger A. Light Mon, 21 Sep 2015 09:56:28 +0100 mosquitto (1.4.3-1) unstable; urgency=low * New upstream release. * New binary package mosquitto-dev. * python3-mosquitto and python-mosquitto packages removed because the python module is no longer part of upstream. * Remove unused patches (pynomake.patch and disable-bad-test.patch) * Added dependency on libwebsockets3, uuid. Note that the source package will build (and actually prefers) using libwebsockets4 when it becomes available. This adds the patch enable-websockets.patch. * Upstream license has changed from BSD-3 to EPL-1.0 or EDL-1.0. * Fix log directory permissions. * Port to multiarch (closes: #763385) - adds libdir.patch * Symbols update * Patch refresh * Add build-timestamp.patch to create reproducable builds. * Add support for apparmor. -- Roger A. Light Wed, 19 Aug 2015 10:31:10 +0100 mosquitto (1.3.4-2) unstable; urgency=low * Disable bad "fake ca" test. -- Roger A. Light Sat, 16 Aug 2014 10:52:12 +0100 mosquitto (1.3.4-1) unstable; urgency=medium * New upstream release: http://mosquitto.org/2014/08/version-1-3-4-released/ (closes: #725014, #754787) * Add dependency on libuuid, c-ares. * Bumped standards version to 3.9.5. No changes needed. * Example config files are now installed to /usr/share/doc/mosquitto/examples/ * debian/copyright year updated. * compiling.txt is no longer distributed. * Updated debian/copyright with new dates. -- Roger A. Light Wed, 06 Aug 2014 00:43:39 +0100 mosquitto (1.2.1-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2013/09/version-1-2-1-released/ * Add Replaces/Break for libmosquitto-dev and libmosquittopp-dev (closes: #720637, #720638). -- Roger A. Light Wed, 18 Sep 2013 21:36:01 +0100 mosquitto (1.2-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2013/08/version-1-2-released/ (closes: #685119). * Bumped standards release to 3.9.4. No changes needed. * Added mosquitto-dbg package for binary debug information. * Added python3-mosquitto binary package. * Use dh_python2 (and dh_python3) instead of python-support. * mosquitto now logs to /var/log/mosquitto/ using logrotate. * mosquitto local config should now be placed in /etc/mosquitto/conf.d/ -- Roger A. Light Wed, 07 Aug 2013 23:26:19 +0100 mosquitto (0.15-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2012/02/version-0-15-released/ * Updated debian/copyright to latest DEP-5. * Removed now unnecessary man-hyphen-minus.patch. -- Roger A. Light Sun, 05 Feb 2012 09:30:22 +0000 mosquitto (0.12-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2011/07/version-0-12-released/ -- Roger A. Light Mon, 25 Jul 2011 22:24:52 +0100 mosquitto (0.11.3-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2011/07/version-0-11-3-released/ * Fix init script start action to create pidfile so stop works correctly. (thanks to Mark Hindess, closes: #632589) * Fix section for client libraries in debian/control. * Remove disable-cmake.patch, this is handled in debian/rules now. -- Roger A. Light Wed, 6 July 2011 15:07:04 +0100 mosquitto (0.10-1) unstable; urgency=low * Initial release. (Closes: #605319) -- Roger A. Light Sun, 1 May 2011 20:12:51 +0100