Format: 1.8 Date: Wed, 06 Feb 2019 17:03:31 +0000 Source: mosquitto Binary: mosquitto mosquitto-dev libmosquitto1 libmosquitto-dev libmosquittopp1 libmosquittopp-dev mosquitto-clients mosquitto-dbg libmosquitto1-dbg libmosquittopp1-dbg Architecture: i386 Version: 1.4.8-1ubuntu0.16.04.5 Distribution: xenial Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Roger A. Light Description: libmosquitto-dev - MQTT version 3.1/3.1.1 client library, development files libmosquitto1 - MQTT version 3.1/3.1.1 client library libmosquitto1-dbg - debugging symbols for libmosquitto binaries libmosquittopp-dev - MQTT version 3.1 client C++ library, development files libmosquittopp1 - MQTT version 3.1/3.1.1 client C++ library libmosquittopp1-dbg - debugging symbols for libmosquittopp binaries mosquitto - MQTT version 3.1/3.1.1 compatible message broker mosquitto-clients - Mosquitto command line MQTT clients mosquitto-dbg - debugging symbols for mosquitto binaries mosquitto-dev - Development files for Mosquitto Changes: mosquitto (1.4.8-1ubuntu0.16.04.5) xenial-security; urgency=medium . * SECURITY UPDATE: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces more stringent parsing tests on the password file data. - CVE-2018-12551 * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures that if an ACL file is defined but no rules are defined, then access will be denied. - CVE-2018-12550 * SECURITY UPDATE: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option `check_retain_source` has been introduced to enforce checking of the retained message source on publish. - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores the originator of the retained message, so security checking can be carried out before re-publishing. The complexity of the patch is due to the need to save this information across broker restarts. - CVE-2018-12546 Checksums-Sha1: ef87bde35cc95398c14800b8d364ff2d9ccd9b3b 906 libmosquitto-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 14b728b95f97ea000ffd20d4c1d7ca037a7734a1 18896 libmosquitto-dev_1.4.8-1ubuntu0.16.04.5_i386.deb dedcb3b96030b6a4b61184f393dff06b107ede5e 175886 libmosquitto1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 5de70bd96babefadcf675ba8cd056bfbd82220e0 1022 libmosquitto1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb d8bdd7e67c98af718ecf76b3b071f9eb06bfe2a8 34644 libmosquitto1_1.4.8-1ubuntu0.16.04.5_i386.deb b6c3be6e96b859984991601fd3d746da929fcb5b 908 libmosquittopp-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb a6f8eac791f9ffc333e90086475493b99cea3d0c 7176 libmosquittopp-dev_1.4.8-1ubuntu0.16.04.5_i386.deb d7d33b1da766b978469be89c8d675c8372f14aa6 15578 libmosquittopp1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 6b3fcd7c70ef33b0213fccd6646fda1a70edd71c 1026 libmosquittopp1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 1d103c4017543d89a5a5b5d8c6a66fae32b9fd62 11592 libmosquittopp1_1.4.8-1ubuntu0.16.04.5_i386.deb 181d750011729fef2ff6b31fc757d100af081a08 1074 mosquitto-clients-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 39a8398c00fe406ccece89dfe945834a00b8d8c2 31338 mosquitto-clients_1.4.8-1ubuntu0.16.04.5_i386.deb bf6ac11c1ab14e6f27979dcd2c766ae30ec0da5d 433276 mosquitto-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 0c93942272c34f68178717c9f874347b6faac2ba 1024 mosquitto-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb b0dddfa673c81cbb94d551585b0faa3685f8abfb 115456 mosquitto_1.4.8-1ubuntu0.16.04.5_i386.deb Checksums-Sha256: e58b1781364e352b5f27bbcf8469911f0c930241a386ee8da083e4f7236ca240 906 libmosquitto-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 38119c9281268e10737b577a9470a2329a9682b028ff7e77903bf84176c68092 18896 libmosquitto-dev_1.4.8-1ubuntu0.16.04.5_i386.deb 58fe9aaaca8fcfbeca6d1f5c8e1261d8b5a46411ede9c8d4408db7d3b2138305 175886 libmosquitto1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 7fe2139162c12e3e0edde4ec91a46380f8df2f511f405a04f37c38c7a560d6c2 1022 libmosquitto1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 46a1f7cd2971fd413891f8b1824056a267d97b3ce8d8148a2765f478dabaf40d 34644 libmosquitto1_1.4.8-1ubuntu0.16.04.5_i386.deb 59cb12e7485c3e720196f9019c794a35bf271be40eabc39409219b478b9abfdf 908 libmosquittopp-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 92f0d87c02f68ee1b444aa5b8075db6a811b21f9ef88c2dee29985ea07d0bcad 7176 libmosquittopp-dev_1.4.8-1ubuntu0.16.04.5_i386.deb 1d9bcd380e3cdd6dd3c82aedd8b2192d9e18458b6597d3a5ccf60c836f3dca23 15578 libmosquittopp1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb c77efda51374b3157826ce847a07be6e0f7fa529798617972d1344443b15f132 1026 libmosquittopp1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb e024ff4e70be0ecd73f44be316c86542e430990a7a054f36d01fa0a075946ca7 11592 libmosquittopp1_1.4.8-1ubuntu0.16.04.5_i386.deb 35d8447928604aa4481c12b0dd218cd9772c31d8f5e02813a10afa721c43c9da 1074 mosquitto-clients-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 4088dcf3bf19288ed2e9c2723e0ad22cc6dfd0bb6d042ff1b39d9e93b35f1004 31338 mosquitto-clients_1.4.8-1ubuntu0.16.04.5_i386.deb 5f021b14da40f56c2ae1dcd8b41ea7ff2801dd71e6aa368080c450b93be6c1c9 433276 mosquitto-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb c50c5af43d1fa5e98233c0b3ddc6eb503dece93a555c715e98c2b943c6ad2616 1024 mosquitto-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 490f1f642677be22b6ddef04f8ea246abb1a5b004260ef2477369dcd2bcdfa44 115456 mosquitto_1.4.8-1ubuntu0.16.04.5_i386.deb Files: 02ec0a5aefdd3aed8f0a7da28278f387 906 libdevel extra libmosquitto-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 2215f155bd56eafd5abbf094c07b6e64 18896 libdevel optional libmosquitto-dev_1.4.8-1ubuntu0.16.04.5_i386.deb 90fddfab52202c926c267894833c5e71 175886 debug extra libmosquitto1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 801b9b5423c4b5885d8a5dfb043dac4d 1022 libs extra libmosquitto1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 76afe735066e02c49108d7495bc5eb86 34644 libs optional libmosquitto1_1.4.8-1ubuntu0.16.04.5_i386.deb 9c53858f43d20bd3a7b7a7e85a47567b 908 libdevel extra libmosquittopp-dev-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 062ba8bbc59fefc4c5b934888e7c0676 7176 libdevel optional libmosquittopp-dev_1.4.8-1ubuntu0.16.04.5_i386.deb a7e4c0828fb7f359ecc1883d24bda3d1 15578 debug extra libmosquittopp1-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb 44cc7dd540725e46540d70fc8941d9bf 1026 libs extra libmosquittopp1-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb cc7f4ac47e3b07da797211a2c58aa4c0 11592 libs optional libmosquittopp1_1.4.8-1ubuntu0.16.04.5_i386.deb 9fbd9364fcb6198eb29605587172eaac 1074 net extra mosquitto-clients-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 88fe7202409aabb4b51f2b0f7b2bceda 31338 net optional mosquitto-clients_1.4.8-1ubuntu0.16.04.5_i386.deb 8c420225dad19acc6c1fd9e6769ebd70 433276 debug extra mosquitto-dbg_1.4.8-1ubuntu0.16.04.5_i386.deb d2728c7aa49fbc38634443d43b766d68 1024 net extra mosquitto-dbgsym_1.4.8-1ubuntu0.16.04.5_i386.ddeb 36a49dcf988c145ea6350ec4ae0ee673 115456 net optional mosquitto_1.4.8-1ubuntu0.16.04.5_i386.deb Original-Maintainer: Roger A. Light