Eclipse Mosquitto 1.4.12

Primary tabs

Security

  • Fix CVE-2017-7650, which allows clients with username or client id set to '#' or '+' to bypass pattern based ACLs or third party plugins. The fix denies message sending or receiving of messages for clients with a '#' or '+' in their username or client id and if the message is subject to a pattern ACL check or plugin check.

Patches for other versions are available at https://mosquitto.org/files/cve/2017-7650/

Broker

  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
  • Fixes to readme.md.
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don't segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650.
 
Release Date: 
Monday, May 29, 2017
Release Type: 
Service release (bug fixes only)