Eclipse Mosquitto 1.4.12
- Fix CVE-2017-7650, which allows clients with username or client id set to '#' or '+' to bypass pattern based ACLs or third party plugins. The fix denies message sending or receiving of messages for clients with a '#' or '+' in their username or client id and if the message is subject to a pattern ACL check or plugin check.
Patches for other versions are available at https://mosquitto.org/files/cve/2017-7650/
- Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
- Fix bridge not restarting properly. Closes #428.
- Fix unitialized memory in gets_quiet on Windows. Closes #426.
- Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
- Fixes to readme.md.
- Fix deprecation warning for OpenSSL 1.1. PR #416.
- Don't segfault on duplicate bridge names. Closes #446.
- Fix CVE-2017-7650.
Pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
This issue affects all versions of Mosquitto 0.15 to 1.4.11 inclusive. It only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.
Version 1.4.12 of Mosquitto fixes the problem.
The fix addresses the problem by restricting access for clients with a '#', '+', or '/' in their username or client id. '/' has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.