NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/mosquitto: security bump to version 1.6.6

Browse Source 
Fixes a security issue. From the annoncement:

A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive.

If a client sends a SUBSCRIBE packet containing a topic that consists of
approximately 65400 or more '/' characters, i.e.  the topic hierarchy
separator, then a stack overflow will occur.

The issue is fixed in Mosquitto 1.6.6 and 1.5.9.  Patches for older versions
are available at https://mosquitto.org/files/cve/2019-hier

The fix addresses the problem by restricting the allowed number of topic
hierarchy levels to 200.  An alternative fix is to increase the size of the
stack by a small amount.

https://mosquitto.org/blog/2019/09/version-1-6-6-released/

Also notice that 1.6.5 silently fixed a security issue:

CVE-2019-11778

A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778

If an MQTT v5 client connects to Mosquitto, sets a last will and testament,
sets a will delay interval, sets a session expiry interval, and the will
delay interval is set longer than the session expiry interval, then a use
after free error occurs, which has the potential to cause a crash in some
situations.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Peter Korsgaard 2019-09-18 16:38:39 +02:00 committed by Thomas Petazzoni
parent b81e00e2ed
commit c5c106e4e3
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/mosquitto/mosquitto.hash
View File

@ -1,5 +1,5 @@
# Locally calculated after checking gpg signature
sha256 bc71b38b5a26fc7cc772853e5607c657868db9f9a6d2b15e2b677649a0f85d20 mosquitto-1.6.5.tar.gz
sha256 82676bf4201ff102be1511b56b041a9450fbbfeda40b21aa28be0fee56e8de17 mosquitto-1.6.6.tar.gz
# License files
sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1 LICENSE.txt

2
package/mosquitto/mosquitto.mk
View File

@ -4,7 +4,7 @@
#
################################################################################
MOSQUITTO_VERSION = 1.6.5
MOSQUITTO_VERSION = 1.6.6
MOSQUITTO_SITE = https://mosquitto.org/files/source
MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0
MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10