2.0.10
Security:
- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.
Broker:
- Don't over write new receive-maximum if a v5 client connects and takes over
an old session. Closes #2134.
- Fix CVE-2021-28166. Closes #2163.
Clients:
- Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub
and mosquitto_rr, to avoid potentially lost messages. Closes #2134.
- Fix TLS-PSK mode not working with port 8883. Closes #2152.
Client library:
- Fix possible socket leak. This would occur if a client was using
`mosquitto_loop_start()`, then if the connection failed due to the remote
server being inaccessible they called `mosquitto_loop_stop(, true)` and
recreated the mosquitto object.
Build:
- A variety of minor build related fixes, like functions not having previous
declarations.
- Fix CMake cross compile builds not finding opensslconf.h. Closes #2160.
- Fix build on Solaris non-sparc. Closes #2136.
Security:
- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.