[mosquitto-dev] Security advisory: CVE-2017-9868

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] Security advisory: CVE-2017-9868

From: Roger Light <roger@xxxxxxxxxx>
Date: Mon, 26 Jun 2017 11:47:47 +0100
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Dear all,

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive
known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world
readable, which has the potential to make sensitive information
available to any local user.

Patches are available to fix this for Unix like operating systems
(i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively (including on Windows) by
removing world read permissions for the directory that the persistence
file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Regards,

Roger

Follow-Ups:
- Re: [mosquitto-dev] Security advisory: CVE-2017-9868
  - From: Manuel Domínguez Dorado

Prev by Date: Re: [mosquitto-dev] RFC: add listener_allow_anonymous
Next by Date: Re: [mosquitto-dev] Security advisory: CVE-2017-9868
Previous by thread: [mosquitto-dev] MQTT Talk - Eclipse IoT Day in London
Next by thread: Re: [mosquitto-dev] Security advisory: CVE-2017-9868
Index(es):
- Date
- Thread

Breadcrumbs