NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6518cf4da7
kumquat-buildroot/package/mosquitto/mosquitto.hash

8 lines
410 B
Plaintext
Raw Normal View History

mosquitto: security bump to version 1.4.15 Fixes CVE-2017-7651: Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system. The fix addresses the problem by limiting the permissible size for CONNECT packet, and by adding a memory_limit configuration option that allows the broker to self limit the amount of memory it uses. The hash of new tarball is not (yet) available through download.php, so use a locally calculated hash. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-01 00:11:40 +01:00
# Locally calculated after checking gpg signature
package/mosquitto: security bump to version 1.5.6 Fixes the following security issues: CVE-2018-12551: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive. CVE-2018-12550: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive. CVE-2018-12546: If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish. Add two upstream post-1.5.6 patches to fix a build error in the bridge code when ADNS is enabled and when building with older toolchains not defaulting to C99 mode. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-09 19:20:58 +01:00
sha256 d5bdc13cc668350026376d57fc14de10aaee029f6840707677637d15e0751a40 mosquitto-1.5.6.tar.gz
mosquitto: bump version to 1.4.14 Drop CVE 2017-9868 patch as that is now upstream. 1.4.14 is a bugfix release, fixing significant websocket performance / correctness issues. Use HTTPS for the download as the server uses HSTS, thus saving a redirect. While we're at it, add hashes for the license files. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-11 11:57:13 +02:00
# License files
sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1 LICENSE.txt
sha256 3b9be6b894d0769de796e653571ff6cef494913c0ce78c35a97db939e7d9087c epl-v10
sha256 e8cf7d54ea46c19aba793983889b7f7425e1ebfcaaccec764a7db091646e203c edl-v10
Reference in New Issue Copy Permalink