[3.8] mosquitto: Multiple vulnerabilities (CVE-2018-12546, CVE-2018-12550, CVE-2018-12551)
CVE-2018-12546: If a client publishes a retained message to a topic
that they have access to, and then their access to that topic is
revoked,
the retained message will still be delivered to future subscribers. This
behaviour may be undesirable in some applications, so a configuration
option check_retain_source has been introduced to enforce checking of
the retained message source on publish.
References:
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12546/
CVE-2018-12550: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined,
which means that no topic access is denied. Although denying access to
all topics is not a useful configuration, this behaviour is
unexpected and could lead to access being incorrectly granted in some
circumstances.
Affects versions 1.0 to 1.5.5 inclusive.
Reference:
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12550/
CVE-2018-12551: If Mosquitto is configured to use a password file
for authentication, any malformed data in the password file will be
treated as valid.
This typically means that the malformed data becomes a username and no
password. If this occurs, clients can circumvent authentication and get
access
to the broker by using the malformed username. In particular, a blank
line will be treated as a valid empty username. Other security measures
are unaffected.
Users who have only used the mosquitto_passwd utility to create and
modify their password files are unaffected by this vulnerability.
Affects version 1.0 to 1.5.5 inclusive
References:
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12551/
(from redmine: issue id 10269, created on 2019-04-16)
- Relations:
- parent #10268 (closed)
- Changesets:
- Revision 231048d9 on 2019-04-17T14:38:46Z:
main/mosquitto: security fixes (CVE-2018-12550, CVE-2018-12551)
Partially fixes #10269