Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Security advisory: CVE-2017-9868
Thank you so much Roger.

Best regards.

2017-06-26 12:47 GMT+02:00 Roger Light <roger@xxxxxxxxxx>:
Dear all,

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive
known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world
readable, which has the potential to make sensitive information
available to any local user.

Patches are available to fix this for Unix like operating systems
(i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively (including on Windows) by
removing world read permissions for the directory that the persistence
file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Regards,

Roger
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev



--
---
Manuel Domínguez Dorado
Software engineer (Ph.D, M.Sc., B.Sc.)
Certified Project Management Professional (PMP)
ingeniero@xxxxxxxxxxxxxxxxxxx
http://www.ManoloDominguez.com
(+34) 607 418 760

Back to the top