Eclipse Mosquitto™ 1.4.12 | projects.eclipse.org

Security

Fix CVE-2017-7650, which allows clients with username or client id set to '#' or '+' to bypass pattern based ACLs or third party plugins. The fix denies message sending or receiving of messages for clients with a '#' or '+' in their username or client id and if the message is subject to a pattern ACL check or plugin check.

Patches for other versions are available at https://mosquitto.org/files/cve/2017-7650/

Broker

Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
Fix bridge not restarting properly. Closes #428.
Fix unitialized memory in gets_quiet on Windows. Closes #426.
Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
Fixes to readme.md.
Fix deprecation warning for OpenSSL 1.1. PR #416.
Don't segfault on duplicate bridge names. Closes #446.
Fix CVE-2017-7650.

Release Date

Monday, May 29, 2017 - 12:00

Release Type

Service release (bug fixes only)

Back to the top