Accepted mosquitto 1.5.6-1 (source) into unstable

Roger A. Light Tue, 12 Feb 2019 14:21:39 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Feb 2019 16:00:52 +0000
Source: mosquitto
Architecture: source
Version: 1.5.6-1
Distribution: unstable
Urgency: medium
Maintainer: Roger A. Light <ro...@atchoo.org>
Changed-By: Roger A. Light <ro...@atchoo.org>
Changes:
 mosquitto (1.5.6-1) unstable; urgency=medium
 .
   * SECURITY UPDATE: If Mosquitto is configured to use a password file for
     authentication, any malformed data in the password file will be treated as
     valid. This typically means that the malformed data becomes a username and
     no password. If this occurs, clients can circumvent authentication and get
     access to the broker by using the malformed username. In particular, a 
blank
     line will be treated as a valid empty username. Other security measures are
     unaffected. Users who have only used the mosquitto_passwd utility to create
     and modify their password files are unaffected by this vulnerability.
     - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
       more stringent parsing tests on the password file data.
     - CVE-2018-12551
   * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
     comments, then mosquitto treats the ACL file as not being defined, which
     means that no topic access is denied. Although denying access to all
     topics is not a useful configuration, this behaviour is unexpected and
     could lead to access being incorrectly granted in some circumstances.
     - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
       that if an ACL file is defined but no rules are defined, then access will
       be denied.
     - CVE-2018-12550
   * SECURITY UPDATE: If a client publishes a retained message to a topic that
     they have access to, and then their access to that topic is revoked, the
     retained message will still be delivered to future subscribers. This
     behaviour may be undesirable in some applications, so a configuration
     option `check_retain_source` has been introduced to enforce checking of
     the retained message source on publish.
     - debian/patches/mosquitto-1.4.8-cve-2018-12546.patch: this patch stores
       the originator of the retained message, so security checking can be
       carried out before re-publishing. The complexity of the patch is due to
       the need to save this information across broker restarts.
     - CVE-2018-12546
   * New upstream release.
   * Bump standards version to 4.3.0, no changes needed.
   * fix-step3.patch: fix compilation error.
Checksums-Sha1:
 8392d8294e1c2583ffbb742a5558f7d904b26434 2302 mosquitto_1.5.6-1.dsc
 df99f3b9d5afcb1f13f622e07b4b9f516c26689a 439402 mosquitto_1.5.6.orig.tar.gz
 4b92c745b205a9867fb69071c36afb45e2e5b6ab 17184 mosquitto_1.5.6-1.debian.tar.xz
 c001d515525c5460f33f8047d2edfc9ae48131d6 8409 mosquitto_1.5.6-1_amd64.buildinfo
Checksums-Sha256:
 4c74e7c67559dbf949007b36b43629c098f138d593d9da890840401ffcdb0ea2 2302 
mosquitto_1.5.6-1.dsc
 d5bdc13cc668350026376d57fc14de10aaee029f6840707677637d15e0751a40 439402 
mosquitto_1.5.6.orig.tar.gz
 b13f7ee7653f5d99891e6c860078491bf88f5bd55fc415cba442e0758b5e5e4d 17184 
mosquitto_1.5.6-1.debian.tar.xz
 be9f52a85144632c18a2c575bf08d47a5173c202e1b2af9f506c5dda13167f55 8409 
mosquitto_1.5.6-1_amd64.buildinfo
Files:
 f1f98c42ef38b2ae94fd3ed608b3ba17 2302 net optional mosquitto_1.5.6-1.dsc
 4006a7b0654c779deea0e3b81902b426 439402 net optional 
mosquitto_1.5.6.orig.tar.gz
 9cab4aac2419826c6895d4a76732d267 17184 net optional 
mosquitto_1.5.6-1.debian.tar.xz
 55a72345f06acd34cc772c68b4a3adae 8409 net optional 
mosquitto_1.5.6-1_amd64.buildinfo
Accepted mosquitto 1.5.6-1 (source) into unstable

Reply via email to
