mosquitto 1.4.8-1ubuntu0.16.04.5 source package in Ubuntu
Changelog
mosquitto (1.4.8-1ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be treated as
valid. This typically means that the malformed data becomes a username and
no password. If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In particular, a blank
line will be treated as a valid empty username. Other security measures are
unaffected. Users who have only used the mosquitto_passwd utility to create
and modify their password files are unaffected by this vulnerability.
- debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
more stringent parsing tests on the password file data.
- CVE-2018-12551
* SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined, which
means that no topic access is denied. Although denying access to all
topics is not a useful configuration, this behaviour is unexpected and
could lead to access being incorrectly granted in some circumstances.
- debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
that if an ACL file is defined but no rules are defined, then access will
be denied.
- CVE-2018-12550
* SECURITY UPDATE: If a client publishes a retained message to a topic that
they have access to, and then their access to that topic is revoked, the
retained message will still be delivered to future subscribers. This
behaviour may be undesirable in some applications, so a configuration
option `check_retain_source` has been introduced to enforce checking of
the retained message source on publish.
- debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
the originator of the retained message, so security checking can be
carried out before re-publishing. The complexity of the patch is due to
the need to save this information across broker restarts.
- CVE-2018-12546
-- <email address hidden> (Roger A. Light) Wed, 06 Feb 2019 17:03:31 +0000
Upload details
- Uploaded by:
- Roger Light
- Sponsored by:
- Eduardo Barretto
- Uploaded to:
- Xenial
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| mosquitto_1.4.8.orig.tar.gz | 318.5 KiB | d96eb5610e57cc3e273f4527d3f54358ab7711459941a9e64bc4d0a85c2acfda |
| mosquitto_1.4.8-1ubuntu0.16.04.5.debian.tar.xz | 33.9 KiB | 4c31fcfd9e06e47562ba6f3124cecff33899cf1fddeb732483667dc5528eb7ae |
| mosquitto_1.4.8-1ubuntu0.16.04.5.dsc | 2.6 KiB | daaf18119170a740d4d8400c908454039f86ed0164dfab2a9df33476dca2fb32 |
Available diffs
Binary packages built by this source
- libmosquitto-dev: MQTT version 3.1/3.1.1 client library, development files
This is the header and man page for the libmosquitto1 C library, which is a
library for implementing MQTT version 3.1/3.1.1 clients. This package is needed to do
development with libmosquitto1.
- libmosquitto-dev-dbgsym: debug symbols for package libmosquitto-dev
This is the header and man page for the libmosquitto1 C library, which is a
library for implementing MQTT version 3.1/3.1.1 clients. This package is needed to do
development with libmosquitto1.
- libmosquitto1: MQTT version 3.1/3.1.1 client library
This is a C library for implementing MQTT version 3.1/3.1.1 clients.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- libmosquitto1-dbg: debugging symbols for libmosquitto binaries
This package contains debugging files used to investigate problems with
the binaries provided by the libmosquitto1 package.
- libmosquitto1-dbgsym: debug symbols for package libmosquitto1
This is a C library for implementing MQTT version 3.1/3.1.1 clients.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- libmosquittopp-dev: MQTT version 3.1 client C++ library, development files
This is the header and man page for the libmosquittopp1 C++ library, which is
a library for implementing MQTT version 3.1 clients. This package is needed to
do development with libmosquittopp1.
- libmosquittopp-dev-dbgsym: debug symbols for package libmosquittopp-dev
This is the header and man page for the libmosquittopp1 C++ library, which is
a library for implementing MQTT version 3.1 clients. This package is needed to
do development with libmosquittopp1.
- libmosquittopp1: MQTT version 3.1/3.1.1 client C++ library
This is a C++ library for implementing MQTT version 3.1/3.1.1 clients.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- libmosquittopp1-dbg: debugging symbols for libmosquittopp binaries
This package contains debugging files used to investigate problems with
the binaries provided by the libmosquittopp1 package.
- libmosquittopp1-dbgsym: debug symbols for package libmosquittopp1
This is a C++ library for implementing MQTT version 3.1/3.1.1 clients.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- mosquitto: MQTT version 3.1/3.1.1 compatible message broker
This is a message broker that supports version 3.1 and 3.1.1 of the MQTT
protocol.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- mosquitto-clients: Mosquitto command line MQTT clients
This is two MQTT version 3.1/3.1.1 command line clients. mosquitto_pub can be
used to publish messages to a broker and mosquitto_sub can be used to
subscribe to a topic to receive messages.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- mosquitto-clients-dbgsym: debug symbols for package mosquitto-clients
This is two MQTT version 3.1/3.1.1 command line clients. mosquitto_pub can be
used to publish messages to a broker and mosquitto_sub can be used to
subscribe to a topic to receive messages.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- mosquitto-dbg: debugging symbols for mosquitto binaries
This package contains debugging files used to investigate problems with
the binaries provided by the packages mosquitto, mosquitto-clients,
libmosquitto1 and libmosquittopp1.
- mosquitto-dbgsym: debug symbols for package mosquitto
This is a message broker that supports version 3.1 and 3.1.1 of the MQTT
protocol.
.
MQTT provides a method of carrying out messaging using a publish/subscribe
model. It is lightweight, both in terms of bandwidth usage and ease of
implementation. This makes it particularly useful at the edge of the network
where a sensor or other simple device may be implemented using an arduino for
example.
- mosquitto-dev: Development files for Mosquitto
Mosquitto is a message broker that supports the MQTT protocol.
.
This package contains the include files used if you wish to compile a package
which requires Mosquitto's source file headers.
