Accepted mosquitto 1.5.6-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Feb 2019 16:00:52 +0000
Source: mosquitto
Architecture: source
Version: 1.5.6-1
Distribution: unstable
Urgency: medium
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Roger A. Light <roger@atchoo.org>
Changes:
mosquitto (1.5.6-1) unstable; urgency=medium
.
* SECURITY UPDATE: If Mosquitto is configured to use a password file for
authentication, any malformed data in the password file will be treated as
valid. This typically means that the malformed data becomes a username and
no password. If this occurs, clients can circumvent authentication and get
access to the broker by using the malformed username. In particular, a blank
line will be treated as a valid empty username. Other security measures are
unaffected. Users who have only used the mosquitto_passwd utility to create
and modify their password files are unaffected by this vulnerability.
- debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
more stringent parsing tests on the password file data.
- CVE-2018-12551
* SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined, which
means that no topic access is denied. Although denying access to all
topics is not a useful configuration, this behaviour is unexpected and
could lead to access being incorrectly granted in some circumstances.
- debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
that if an ACL file is defined but no rules are defined, then access will
be denied.
- CVE-2018-12550
* SECURITY UPDATE: If a client publishes a retained message to a topic that
they have access to, and then their access to that topic is revoked, the
retained message will still be delivered to future subscribers. This
behaviour may be undesirable in some applications, so a configuration
option `check_retain_source` has been introduced to enforce checking of
the retained message source on publish.
- debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
the originator of the retained message, so security checking can be
carried out before re-publishing. The complexity of the patch is due to
the need to save this information across broker restarts.
- CVE-2018-12546
* New upstream release.
* Bump standards version to 4.3.0, no changes needed.
* fix-step3.patch: fix compilation error.
Checksums-Sha1:
8392d8294e1c2583ffbb742a5558f7d904b26434 2302 mosquitto_1.5.6-1.dsc
df99f3b9d5afcb1f13f622e07b4b9f516c26689a 439402 mosquitto_1.5.6.orig.tar.gz
4b92c745b205a9867fb69071c36afb45e2e5b6ab 17184 mosquitto_1.5.6-1.debian.tar.xz
c001d515525c5460f33f8047d2edfc9ae48131d6 8409 mosquitto_1.5.6-1_amd64.buildinfo
Checksums-Sha256:
4c74e7c67559dbf949007b36b43629c098f138d593d9da890840401ffcdb0ea2 2302 mosquitto_1.5.6-1.dsc
d5bdc13cc668350026376d57fc14de10aaee029f6840707677637d15e0751a40 439402 mosquitto_1.5.6.orig.tar.gz
b13f7ee7653f5d99891e6c860078491bf88f5bd55fc415cba442e0758b5e5e4d 17184 mosquitto_1.5.6-1.debian.tar.xz
be9f52a85144632c18a2c575bf08d47a5173c202e1b2af9f506c5dda13167f55 8409 mosquitto_1.5.6-1_amd64.buildinfo
Files:
f1f98c42ef38b2ae94fd3ed608b3ba17 2302 net optional mosquitto_1.5.6-1.dsc
4006a7b0654c779deea0e3b81902b426 439402 net optional mosquitto_1.5.6.orig.tar.gz
9cab4aac2419826c6895d4a76732d267 17184 net optional mosquitto_1.5.6-1.debian.tar.xz
55a72345f06acd34cc772c68b4a3adae 8409 net optional mosquitto_1.5.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAlxjQ3kACgkQC8R9xk0T
UwbTlxAAhjGyiJT6fYm8XQkL3x5vFnZxYkSC/0ypuP3/r6x8U81KOcgrsAX7lI/5
uBhoNJyA1uNVhf65UR0n3z5Krj9HrUwrEhlmTfxdQvKtea5EbiA6Ft0m/LerYtwT
o1XVdWuGawjXaSe0YP3Gks/5fhd7S9ARgZQLgjnROOM4FBEDbzFhfcGtqMoYzf5M
pSnD6NmR3YzEf4O3a8pM+OQF5oXVcT/EyhWVBSTddOOq8eiOM13vEVmcCkHFaRIU
zwOctxGRBj2tGk+sa6bQJPBlbZ9ZmOE78PZAExgTmr4jf9vyNsBKFRwAjebz4R7i
4YLp9m/ojbMhx85VG7Zts4/DM1du6oLzB85bdidNoBo9JJuNh4obUbE/5X47Mg9f
RjuduR6DiSmvNvSybi7pG9A7+lTIY5m2UcicFm57BnKBlk/iAYMc3OVl3kKqewUD
rhM7GJ5TKlg8LvCbz9pHl1peBLwT/hb5NaisdGuZEPjG+gp4C2OWPzMj8if6uXgd
DwomjSshH2n8HL2hKBCYV0SXyo0O25JBFQHHFyX/1yu2V0QGCxLCXhjXhzr2swxV
dUlB+qhYLHnMoJUjuvZ8fma+L8YNI2AWSsaiECoHZuKVrZPCtcYqSJbocp7Lz78D
9Ops+RDrPotMwXgYisQ9p/EBN5lokRGd9YHn3nQtm2t1j4yqpGY=
=WbU4
-----END PGP SIGNATURE-----