Notice: Some of the services that support the smooth operation of our websites are still in the process of being restored. As a result, certain features—such as images and committer paperwork—may be temporarily unavailable. Our team is actively working to resolve these issues and restore full functionality as soon as possible.

Thank you for your patience and understanding.

Eclipse Mosquitto™ 2.0.10

2.0.10

Description

Security:

- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a

  malformed CONNACK message to the broker a NULL pointer dereference occurred,

  most likely resulting in a segfault. This will be updated with the CVE

  number when it is assigned.

  Affects versions 2.0.0 to 2.0.9 inclusive.

Broker:

- Don't over write new receive-maximum if a v5 client connects and takes over

  an old session. Closes #2134.

- Fix CVE-2021-28166. Closes #2163.

Clients:

- Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub

  and mosquitto_rr, to avoid potentially lost messages. Closes #2134.

- Fix TLS-PSK mode not working with port 8883. Closes #2152.

Client library:

- Fix possible socket leak. This would occur if a client was using

  `mosquitto_loop_start()`, then if the connection failed due to the remote

  server being inaccessible they called `mosquitto_loop_stop(, true)` and

  recreated the mosquitto object.

Build:

- A variety of minor build related fixes, like functions not having previous

  declarations.

- Fix CMake cross compile builds not finding opensslconf.h. Closes #2160.

- Fix build on Solaris non-sparc. Closes #2136.

Security Issues

Security:

- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a

  malformed CONNACK message to the broker a NULL pointer dereference occurred,

  most likely resulting in a segfault. This will be updated with the CVE

  number when it is assigned.

  Affects versions 2.0.0 to 2.0.9 inclusive.

Conforms To UI/UX Guidelines
Not verified