Debian LTS: DLA-1972-1: mosquitto security update
Summary
CVE-2017-7655
A Null dereference vulnerability in the Mosquitto library could
lead to crashes for those applications using the library.
CVE-2018-12550
An ACL file with no statements was treated as having a default
allow policy. The new behaviour of an empty ACL file is a default
policy of access denied.
(this is in compliance with all newer releases)
CVE-2018-12551
Malformed authentication data in the password file could allow
clients to circumvent authentication and get access to the broker.
CVE-2019-11779
Fix for processing a crafted SUBSCRIBE packet containing a topic
that consists of approximately 65400 or more '/' characters.
(setting TOPIC_HIERARCHY_LIMIT to 200)
For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.
We recommend that you upgrade your mosquitto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
...
![Dist Debian](/images/distros/dist-debian.png)