--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2019-4c69fb4cd7
2019-10-04 20:02:51.623142
--------------------------------------------------------------------------------Name        : mosquitto
Product     : Fedora 31
Version     : 1.6.7
Release     : 1.fc31
URL         : https://mosquitto.org/
Summary     : An Open Source MQTT v3.1/v3.1.1 Broker
Description :
Mosquitto is an open source message broker that implements the MQ Telemetry
Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method
of carrying out messaging using a publish/subscribe model. This makes it
suitable for "machine to machine" messaging such as with low power sensors
or mobile devices such as phones, embedded computers or micro-controllers
like the Arduino.

--------------------------------------------------------------------------------Update Information:

1.6.7 =====  Broker:  * Add workaround for working with libwebsockets 3.2.0. *
Fix potential crash when reloading config.  Client library:  * Don't use / in
autogenerated client ids, to avoid confusing with topics. * Fix
mosquitto_max_inflight_messages_set() and mosquitto_int_option(...,
MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of
mosquitto_connect_async() not working.  Clients:  * mosquitto_sub: Fix -E
incorrectly not working unless -d was also specified. * Updated documentation
around automatic client ids.   1.6.6 =====  Security: * CVE-2019-11779 *
Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
Broker:  * Restrict topic hierarchy to 200 levels to prevent possible stack
overflow. * mosquitto_passwd now returns 1 when attempting to update a user that
does not exist.   1.6.5 =====  Broker:  * Fix v5 DISCONNECT packets with
remaining length == 2 being treated as a protocol error. * Fix support for
libwebsockets 3.x. * Fix slow websockets performance when sending large
messages. * Fix bridges potentially not connecting on Windows. * Fix clients
authorised using `use_identity_as_username` or `use_subject_as_username` being
disconnected on SIGHUP. * Improve error messages in some situations when clients
disconnect. Reduces the number of "Socket error on client X, disconnecting"
messages. * Fix Will for v5 clients not being sent if will delay interval was
greater than the session expiry interval. * Fix CRL file not being reloaded on
HUP. * Fix repeated "Error in poll" messages on Windows when only websockets
listeners are defined.  Client library:  * Fix reconnect backoff for the
situation where connections are dropped rather than refused. * Fix missing locks
on `mosq->state`.  Documentation:  * Improve details on global/per listener
options in the mosquitto.conf man page. * Clarify behaviour when clients exceed
the `message_size_limit`. * Improve documentation for `max_inflight_bytes`,
`max_inflight_messages`, and `max_queued_messages`.
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1753846 - CVE-2019-11779 mosquitto: malicious MQTT sends  SUBSCRIBE packet leads to stack over flow
        https://bugzilla.redhat.com/show_bug.cgi?id=1753846
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-4c69fb4cd7' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: mosquitto FEDORA-2019-4c69fb4cd7

October 4, 2019
1.6.7 Fix potential crash when reloading config

Summary

Mosquitto is an open source message broker that implements the MQ Telemetry

Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method

of carrying out messaging using a publish/subscribe model. This makes it

suitable for "machine to machine" messaging such as with low power sensors

or mobile devices such as phones, embedded computers or micro-controllers

like the Arduino.

1.6.7 ===== Broker: * Add workaround for working with libwebsockets 3.2.0. *

Fix potential crash when reloading config. Client library: * Don't use / in

autogenerated client ids, to avoid confusing with topics. * Fix

mosquitto_max_inflight_messages_set() and mosquitto_int_option(...,

MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of

mosquitto_connect_async() not working. Clients: * mosquitto_sub: Fix -E

incorrectly not working unless -d was also specified. * Updated documentation

around automatic client ids. 1.6.6 ===== Security: * CVE-2019-11779 *

Restrict topic hierarchy to 200 levels to prevent possible stack overflow.

Broker: * Restrict topic hierarchy to 200 levels to prevent possible stack

overflow. * mosquitto_passwd now returns 1 when attempting to update a user that

does not exist. 1.6.5 ===== Broker: * Fix v5 DISCONNECT packets with

remaining length == 2 being treated as a protocol error. * Fix support for

libwebsockets 3.x. * Fix slow websockets performance when sending large

messages. * Fix bridges potentially not connecting on Windows. * Fix clients

authorised using `use_identity_as_username` or `use_subject_as_username` being

disconnected on SIGHUP. * Improve error messages in some situations when clients

disconnect. Reduces the number of "Socket error on client X, disconnecting"

messages. * Fix Will for v5 clients not being sent if will delay interval was

greater than the session expiry interval. * Fix CRL file not being reloaded on

HUP. * Fix repeated "Error in poll" messages on Windows when only websockets

listeners are defined. Client library: * Fix reconnect backoff for the

situation where connections are dropped rather than refused. * Fix missing locks

on `mosq->state`. Documentation: * Improve details on global/per listener

options in the mosquitto.conf man page. * Clarify behaviour when clients exceed

the `message_size_limit`. * Improve documentation for `max_inflight_bytes`,

`max_inflight_messages`, and `max_queued_messages`.

[ 1 ] Bug #1753846 - CVE-2019-11779 mosquitto: malicious MQTT sends SUBSCRIBE packet leads to stack over flow

https://bugzilla.redhat.com/show_bug.cgi?id=1753846

su -c 'dnf upgrade --advisory FEDORA-2019-4c69fb4cd7' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2019-4c69fb4cd7 2019-10-04 20:02:51.623142 Product : Fedora 31 Version : 1.6.7 Release : 1.fc31 URL : https://mosquitto.org/ Summary : An Open Source MQTT v3.1/v3.1.1 Broker Description : Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. 1.6.7 ===== Broker: * Add workaround for working with libwebsockets 3.2.0. * Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of mosquitto_connect_async() not working. Clients: * mosquitto_sub: Fix -E incorrectly not working unless -d was also specified. * Updated documentation around automatic client ids. 1.6.6 ===== Security: * CVE-2019-11779 * Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Broker: * Restrict topic hierarchy to 200 levels to prevent possible stack overflow. * mosquitto_passwd now returns 1 when attempting to update a user that does not exist. 1.6.5 ===== Broker: * Fix v5 DISCONNECT packets with remaining length == 2 being treated as a protocol error. * Fix support for libwebsockets 3.x. * Fix slow websockets performance when sending large messages. * Fix bridges potentially not connecting on Windows. * Fix clients authorised using `use_identity_as_username` or `use_subject_as_username` being disconnected on SIGHUP. * Improve error messages in some situations when clients disconnect. Reduces the number of "Socket error on client X, disconnecting" messages. * Fix Will for v5 clients not being sent if will delay interval was greater than the session expiry interval. * Fix CRL file not being reloaded on HUP. * Fix repeated "Error in poll" messages on Windows when only websockets listeners are defined. Client library: * Fix reconnect backoff for the situation where connections are dropped rather than refused. * Fix missing locks on `mosq->state`. Documentation: * Improve details on global/per listener options in the mosquitto.conf man page. * Clarify behaviour when clients exceed the `message_size_limit`. * Improve documentation for `max_inflight_bytes`, `max_inflight_messages`, and `max_queued_messages`. [ 1 ] Bug #1753846 - CVE-2019-11779 mosquitto: malicious MQTT sends SUBSCRIBE packet leads to stack over flow https://bugzilla.redhat.com/show_bug.cgi?id=1753846 su -c 'dnf upgrade --advisory FEDORA-2019-4c69fb4cd7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 31
Version : 1.6.7
Release : 1.fc31
URL : https://mosquitto.org/
Summary : An Open Source MQTT v3.1/v3.1.1 Broker

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved