Package        : mosquitto
Version        : 1.3.4-2+deb8u4
CVE ID         : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551
                  CVE-2019-11779


Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 
compatible message broker.

CVE-2017-7655

      A Null dereference vulnerability in the Mosquitto library could
      lead to crashes for those applications using the library.


CVE-2018-12550

      An ACL file with no statements was treated as having a default
      allow policy. The new behaviour of an empty ACL file is a default
      policy of access denied.
      (this is in compliance with all newer releases)


CVE-2018-12551

      Malformed authentication data in the password file could allow
      clients to circumvent authentication and get access to the broker.


CVE-2019-11779

      Fix for processing a crafted SUBSCRIBE packet containing a topic
      that consists of approximately 65400 or more '/' characters.
      (setting TOPIC_HIERARCHY_LIMIT to 200)


For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-1972-1: mosquitto security update

October 26, 2019
Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker

Summary

CVE-2017-7655

A Null dereference vulnerability in the Mosquitto library could
lead to crashes for those applications using the library.


CVE-2018-12550

An ACL file with no statements was treated as having a default
allow policy. The new behaviour of an empty ACL file is a default
policy of access denied.
(this is in compliance with all newer releases)


CVE-2018-12551

Malformed authentication data in the password file could allow
clients to circumvent authentication and get access to the broker.


CVE-2019-11779

Fix for processing a crafted SUBSCRIBE packet containing a topic
that consists of approximately 65400 or more '/' characters.
(setting TOPIC_HIERARCHY_LIMIT to 200)


For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
...

Read the Full Advisory


Severity
Package : mosquitto
Version : 1.3.4-2+deb8u4
CVE ID : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551

Related News