Mosquitto 1.5.3 has been released to address a security vulnerability. It also includes other bug fixes.
A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as CVE-2018-12543.
If a message received by the broker has a topic that begins with
$, but that
does not begin
$SYS, an assert is triggered that should otherwise not be
accessible, causing Mosquitto to exit.
The issue is fixed in Mosquitto 1.5.3. Patches for older versions are available at https://mosquitto.org/files/cve/2018-12543
The fix addresses the problem by reverting a commit that intended to remove some unused checks, but also stopped part of the topic hierarchy being created.
Version 1.5.3 Changes
The complete list of fixes addressed in version 1.5.3 is:
- Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
$, but is not
$SYS, then an assert that should be unreachable is triggered and Mosquitto will exit.
- Elevate log level to warning for situation when socket limit is hit.
- Remove requirement to use
user rootin snap package config files.
- Fix retained messages not sent by bridges on outgoing topics at the first connection. Closes #701.
- Documentation fixes. Closes #520, #600.
- Fix duplicate clients being added to by_id hash before the old client was removed. Closes #645.
- Fix Windows version not starting if
include_dirdid not contain any files. Closes #566.
- Various fixes to ease building.