[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] Version 1.6.6 released
|
Dear all,
Versions 1.6.6 and 1.5.9 have been released to address a vulnerability
in Mosquitto.
If a client has successfully connected, then sends a SUBSCRIBE packet
with a topic that contains more than 65400 / characters, then
Mosquitto would crash. This has been fixed by restricting the
allowable number of hierarchy levels to 200. An alternative fix is to
increase the stack by a small amount. I am awaiting a CVE assignment
for this. This affects versions 1.5 to 1.6.5 inclusive.
Version 1.6.*5* addressed a different vulnerability, CVE-2019-11778,
which is a use after free occurring if an MQTT v5 client connected
with a last will and testament set, with a will delay interval set,
with a session expiry interval set, and with the session expiry
interval being shorter than the will delay interval. This affects
versions 1.6 to 1.6.4 inclusive.
There are no plans to provide binaries for the 1.5.9 release. If this
is important for you, please get in touch.
I am sorry for the short amount of time between 1.6.5 and 1.6.6, but
this bug demanded a prompt response.
Both bugs listed here were disclosed publicly. If you find a bug that
has the potential to cause a crash, please follow the steps on
https://www.eclipse.org/security/ to report it.
https://mosquitto.org/blog/2019/09/version-1-6-6-released/
Regards,
Roger
