Debian Package Tracker

From: Roger A. Light <roger@atchoo.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted mosquitto 1.4.10-3+deb9u3 (source) into proposed-updates->stable-new, proposed-updates
Date: Mon, 18 Feb 2019 23:18:48 +0000
Signed by: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Feb 2019 17:03:31 +0000
Source: mosquitto
Binary: mosquitto mosquitto-dev libmosquitto1 libmosquitto-dev libmosquittopp1 libmosquittopp-dev mosquitto-clients mosquitto-dbg libmosquitto1-dbg libmosquittopp1-dbg
Architecture: source
Version: 1.4.10-3+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Roger A. Light <roger@atchoo.org>
Changed-By: Roger A. Light <roger@atchoo.org>
Description: 
 libmosquitto-dev - MQTT version 3.1/3.1.1 client library, development files
 libmosquitto1 - MQTT version 3.1/3.1.1 client library
 libmosquitto1-dbg - debugging symbols for libmosquitto binaries
 libmosquittopp-dev - MQTT version 3.1 client C++ library, development files
 libmosquittopp1 - MQTT version 3.1/3.1.1 client C++ library
 libmosquittopp1-dbg - debugging symbols for libmosquittopp binaries
 mosquitto  - MQTT version 3.1/3.1.1 compatible message broker
 mosquitto-clients - Mosquitto command line MQTT clients
 mosquitto-dbg - debugging symbols for mosquitto binaries
 mosquitto-dev - Development files for Mosquitto
Changes:
 mosquitto (1.4.10-3+deb9u3) stretch-security; urgency=high
 .
   * SECURITY UPDATE: If Mosquitto is configured to use a password file for
     authentication, any malformed data in the password file will be treated as
     valid. This typically means that the malformed data becomes a username and
     no password. If this occurs, clients can circumvent authentication and get
     access to the broker by using the malformed username. In particular, a blank
     line will be treated as a valid empty username. Other security measures are
     unaffected. Users who have only used the mosquitto_passwd utility to create
     and modify their password files are unaffected by this vulnerability.
     - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
       more stringent parsing tests on the password file data.
     - CVE-2018-12551
   * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
     comments, then mosquitto treats the ACL file as not being defined, which
     means that no topic access is denied. Although denying access to all
     topics is not a useful configuration, this behaviour is unexpected and
     could lead to access being incorrectly granted in some circumstances.
     - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
       that if an ACL file is defined but no rules are defined, then access will
       be denied.
     - CVE-2018-12550
   * SECURITY UPDATE: If a client publishes a retained message to a topic that
     they have access to, and then their access to that topic is revoked, the
     retained message will still be delivered to future subscribers. This
     behaviour may be undesirable in some applications, so a configuration
     option `check_retain_source` has been introduced to enforce checking of
     the retained message source on publish.
     - debian/patches/mosquitto-1.4.9-1.4.14-cve-2018-12546.patch: this patch stores
       the originator of the retained message, so security checking can be
       carried out before re-publishing. The complexity of the patch is due to
       the need to save this information across broker restarts.
     - CVE-2018-12546
Checksums-Sha1: 
 b135c36b2f205dfc13983debbee0a8eadbfeb38f 2698 mosquitto_1.4.10-3+deb9u3.dsc
 73a54aa69f6f21bb879fc2a7be7eb326dfd5fb1c 37312 mosquitto_1.4.10-3+deb9u3.debian.tar.xz
Checksums-Sha256: 
 0151a72c2b2df01b73b2eef3666768508189584d04ff00773f8fb5f52b9df743 2698 mosquitto_1.4.10-3+deb9u3.dsc
 d5fecc9ed78a2eb208156dfdf67d889bc9317adf0c46059598da2bc43a2ebd95 37312 mosquitto_1.4.10-3+deb9u3.debian.tar.xz
Files: 
 f921224fca6839ded6eb5ad2954e0bc8 2698 net optional mosquitto_1.4.10-3+deb9u3.dsc
 398606ce67a94057b2ba587dadd8f11d 37312 net optional mosquitto_1.4.10-3+deb9u3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxdgMZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EpXUP/ieywU4Afio4+FdRG+rgx73b9ahZCZPN
OvN2c2twYjqZnt/o5n85aZEnnhaohS1cpl7kiBVKOIBKtqDnF3vNejtoxOyZwwWQ
gv7zQyldEdTd5LlJQQ9Anw6vJVUqYNXqewbULS12+HTyX3+JyqTcI9XCT/g1wX9c
8cp3T77Tz0U6C8KAhhPxNTUSpT/QEwawe+DAIjwPcB6eLuxf3zlipkuFJpuMkBPY
sWd3A7jqKpkFXM0D0c1oE+0cyMVzwXYheosiRH0pqZamVUA080qDQPcAAukjMuks
G3G/HNeFgZbYQb3gksO/shZnU2OAo6i3+HHDdXZKvjBQk8qpgTDJwIpRE7o5phes
fb2YM1R7pZk23sgRcs0hW0Xx/zO7pb/ly7Y3kc1XXGd/bz5PJQdeCY1mqe5W9+on
k2bjp0ZFGmIox7YliSefC2yQOgXShvANLXp6FbN3EqChUNhwUFOeBX/zzF0vLQ4q
pTcbhcpbe1Xihfy0XB4D14Mx4DZHVNB2SEQBaCmplaC067lnDtDLsl5zpCoA6w8F
OBYcPl/fTYXGYnuopMrX1tHqoTwKvrzTx0Jx/gHv+I0EqNmQrVNCDlmNl/TYgGCb
wUDGY7ucCuglU9Ac1W5Xw52YFh05/0C696aypgK5IhK3HMVRNmvESINYiawzQVZi
veQcf4I3BDqb
=UlO+
-----END PGP SIGNATURE-----
News for package mosquitto
