[3.7] mosquitto: Multiple vulnerabilities (CVE-2018-12546, CVE-2018-12550, CVE-2018-12551)
CVE-2018-12546: If a client publishes a retained message to a topic
that they have access to, and then their access to that topic is
the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration
option check_retain_source has been introduced to enforce checking of the retained message source on publish.
CVE-2018-12550: If an ACL file is empty, or has only blank lines or
comments, then mosquitto treats the ACL file as not being defined,
which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is
unexpected and could lead to access being incorrectly granted in some circumstances.
Affects versions 1.0 to 1.5.5 inclusive.
CVE-2018-12551: If Mosquitto is configured to use a password file
for authentication, any malformed data in the password file will be
treated as valid.
This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access
to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected.
Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.
Affects version 1.0 to 1.5.5 inclusive
(from redmine: issue id 10270, created on 2019-04-16)
- parent #10268 (closed)