Message ID | 20190918143840.19328-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/mosquitto: security bump to version 1.6.6 | expand |
Hello Peter and all, On 9/18/19 4:38 PM, Peter Korsgaard wrote: > Fixes a security issue. From the annoncement: > > A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive. > > If a client sends a SUBSCRIBE packet containing a topic that consists of > approximately 65400 or more '/' characters, i.e. the topic hierarchy > separator, then a stack overflow will occur. > > The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions > are available at https://mosquitto.org/files/cve/2019-hier > > The fix addresses the problem by restricting the allowed number of topic > hierarchy levels to 200. An alternative fix is to increase the size of the > stack by a small amount. > > https://mosquitto.org/blog/2019/09/version-1-6-6-released/ > > Also notice that 1.6.5 silently fixed a security issue: > > CVE-2019-11778 > > A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778 > > If an MQTT v5 client connects to Mosquitto, sets a last will and testament, > sets a will delay interval, sets a session expiry interval, and the will > delay interval is set longer than the session expiry interval, then a use > after free error occurs, which has the potential to cause a crash in some > situations. > Do you also intend to backport this into 2019.02 ? > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed by: Titouan Christophe <titouan.christophe@railnova.eu> > --- > package/mosquitto/mosquitto.hash | 2 +- > package/mosquitto/mosquitto.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash > index aa6eeaf13a..23854bd401 100644 > --- a/package/mosquitto/mosquitto.hash > +++ b/package/mosquitto/mosquitto.hash > @@ -1,5 +1,5 @@ > # Locally calculated after checking gpg signature > -sha256 bc71b38b5a26fc7cc772853e5607c657868db9f9a6d2b15e2b677649a0f85d20 mosquitto-1.6.5.tar.gz > +sha256 82676bf4201ff102be1511b56b041a9450fbbfeda40b21aa28be0fee56e8de17 mosquitto-1.6.6.tar.gz > > # License files > sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1 LICENSE.txt > diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk > index fd8e6df26a..932855107e 100644 > --- a/package/mosquitto/mosquitto.mk > +++ b/package/mosquitto/mosquitto.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -MOSQUITTO_VERSION = 1.6.5 > +MOSQUITTO_VERSION = 1.6.6 > MOSQUITTO_SITE = https://mosquitto.org/files/source > MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0 > MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10 >
>>>>> "Titouan" == Titouan Christophe <titouan.christophe@railnova.eu> writes: > Hello Peter and all, > On 9/18/19 4:38 PM, Peter Korsgaard wrote: >> Fixes a security issue. From the annoncement: >> >> A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive. >> >> If a client sends a SUBSCRIBE packet containing a topic that consists of >> approximately 65400 or more '/' characters, i.e. the topic hierarchy >> separator, then a stack overflow will occur. >> >> The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions >> are available at https://mosquitto.org/files/cve/2019-hier >> >> The fix addresses the problem by restricting the allowed number of topic >> hierarchy levels to 200. An alternative fix is to increase the size of the >> stack by a small amount. >> >> https://mosquitto.org/blog/2019/09/version-1-6-6-released/ >> >> Also notice that 1.6.5 silently fixed a security issue: >> >> CVE-2019-11778 >> >> A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778 >> >> If an MQTT v5 client connects to Mosquitto, sets a last will and testament, >> sets a will delay interval, sets a session expiry interval, and the will >> delay interval is set longer than the session expiry interval, then a use >> after free error occurs, which has the potential to cause a crash in some >> situations. >> > Do you also intend to backport this into 2019.02 ? Yes, but 2019.02.x uses 1.5.8, so there it makes more sense to move to 1.5.9.
On Wed, 18 Sep 2019 16:38:39 +0200 Peter Korsgaard <peter@korsgaard.com> wrote: > Fixes a security issue. From the annoncement: > > A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive. > > If a client sends a SUBSCRIBE packet containing a topic that consists of > approximately 65400 or more '/' characters, i.e. the topic hierarchy > separator, then a stack overflow will occur. > > The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions > are available at https://mosquitto.org/files/cve/2019-hier > > The fix addresses the problem by restricting the allowed number of topic > hierarchy levels to 200. An alternative fix is to increase the size of the > stack by a small amount. > > https://mosquitto.org/blog/2019/09/version-1-6-6-released/ > > Also notice that 1.6.5 silently fixed a security issue: > > CVE-2019-11778 > > A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778 > > If an MQTT v5 client connects to Mosquitto, sets a last will and testament, > sets a will delay interval, sets a session expiry interval, and the will > delay interval is set longer than the session expiry interval, then a use > after free error occurs, which has the potential to cause a crash in some > situations. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/mosquitto/mosquitto.hash | 2 +- > package/mosquitto/mosquitto.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes a security issue. From the annoncement: > A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive. > If a client sends a SUBSCRIBE packet containing a topic that consists of > approximately 65400 or more '/' characters, i.e. the topic hierarchy > separator, then a stack overflow will occur. > The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions > are available at https://mosquitto.org/files/cve/2019-hier > The fix addresses the problem by restricting the allowed number of topic > hierarchy levels to 200. An alternative fix is to increase the size of the > stack by a small amount. > https://mosquitto.org/blog/2019/09/version-1-6-6-released/ > Also notice that 1.6.5 silently fixed a security issue: > CVE-2019-11778 > A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778 > If an MQTT v5 client connects to Mosquitto, sets a last will and testament, > sets a will delay interval, sets a session expiry interval, and the will > delay interval is set longer than the session expiry interval, then a use > after free error occurs, which has the potential to cause a crash in some > situations. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2019.08.x, thanks.
diff --git a/package/mosquitto/mosquitto.hash b/package/mosquitto/mosquitto.hash index aa6eeaf13a..23854bd401 100644 --- a/package/mosquitto/mosquitto.hash +++ b/package/mosquitto/mosquitto.hash @@ -1,5 +1,5 @@ # Locally calculated after checking gpg signature -sha256 bc71b38b5a26fc7cc772853e5607c657868db9f9a6d2b15e2b677649a0f85d20 mosquitto-1.6.5.tar.gz +sha256 82676bf4201ff102be1511b56b041a9450fbbfeda40b21aa28be0fee56e8de17 mosquitto-1.6.6.tar.gz # License files sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1 LICENSE.txt diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk index fd8e6df26a..932855107e 100644 --- a/package/mosquitto/mosquitto.mk +++ b/package/mosquitto/mosquitto.mk @@ -4,7 +4,7 @@ # ################################################################################ -MOSQUITTO_VERSION = 1.6.5 +MOSQUITTO_VERSION = 1.6.6 MOSQUITTO_SITE = https://mosquitto.org/files/source MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0 MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10
Fixes a security issue. From the annoncement: A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive. If a client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions are available at https://mosquitto.org/files/cve/2019-hier The fix addresses the problem by restricting the allowed number of topic hierarchy levels to 200. An alternative fix is to increase the size of the stack by a small amount. https://mosquitto.org/blog/2019/09/version-1-6-6-released/ Also notice that 1.6.5 silently fixed a security issue: CVE-2019-11778 A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778 If an MQTT v5 client connects to Mosquitto, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/mosquitto/mosquitto.hash | 2 +- package/mosquitto/mosquitto.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)