Debian: DLA-1972-1 Critical: Mosquitto Access Control Issues
debian lts
October 26, 2019
Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker
Topics Covered
Summary
CVE-2017-7655
A Null dereference vulnerability in the Mosquitto library could
lead to crashes for those applications using the library.
CVE-2018-12550
An ACL file with no statements was treated as having a default
allow policy. The new behaviour of an empty ACL file is a default
policy of access denied.
(this is in compliance with all newer releases)
CVE-2018-12551
Malformed authentication data in the password file could allow
clients to circumvent authentication and get access to the broker.
CVE-2019-11779
Fix for processing a crafted SUBSCRIBE packet containing a topic
that consists of approximately 65400 or more '/' characters.
(setting TOPIC_HIERARCHY_LIMIT to 200)
For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.
We recommend that you upgrade your mosquitto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: mosquitto
Version: 1.3.4-2+deb8u4
CVE ID: CVE-2017-7655 CVE-2018-12550 CVE-2018-12551
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!