Version 1.4.13 released

This is a bugfix and security release.

Security

  • Fix CVE-2017-9868. The persistence file was readable by all local users, potentially allowing sensitive information to be leaked. This can also be fixed administratively, by restricting access to the directory in which the persistence file is stored.

Broker

  • Fix for poor websockets performance.
  • Fix lazy bridges not timing out for idle_timeout. Closes #417.
  • Fix problems with large retained messages over websockets. Closes #427.
  • Set persistence file to only be readable by owner, except on Windows. Closes #468.
  • Fix CONNECT check for reserved=0, as per MQTT v3.1.1 check MQTT-3.1.2-3.
  • When the broker stop, wills for any connected clients are now "sent". Closes #477.
  • Auth plugins can be configured to disable the check for +# in usernames/client ids with the auth_plugin_deny_special_chars option. Partially closes #462.
  • Restrictions for CVE-2017-7650 have been relaxed - '/' is allowed in usernames/client ids.
  • Remainder of fix for #462.

Clients

  • Don't use / in auto-generated client ids.

Security advisory: CVE-2017-9868

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world readable, which has the potential to make sensitive information available to any local user.

Patches are available to fix this for Unix like operating systems (i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively by removing world read permissions for the directory that the persistence file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Security advisory: CVE-2017-7650

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive known as CVE-2017-7650.

Pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

The issue is fixed in Mosquitto 1.4.12, which has just been released. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7650

The fix addresses the problem by restricting access for clients with a '#', '+', or '/' in their username or client id. '/' has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.

Thanks to Artem Zinenko from HackerDom CTF team for finding this vulnerability and responsibly reporting it.

Complete list of fixes addressed in version 1.4.12:

Broker

  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
  • Fixes to readme.md.
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don't segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650.

Version 1.4.11 released

This is a bugfix release.

Broker

  • Fix crash when "lazy" type bridge attempts to reconnect. Closes #259.
  • maximum_connections now applies to websockets listeners. Closes #271.
  • Allow bridges to use TLS with IPv6.
  • Don't error on zero length persistence files. Closes #316.
  • For http only websockets clients, close files served over http in all cases when the client disconnects. Closes #354.
  • Fix error message when websockets http_dir directory does not exist.
  • Improve password utility error message. Closes #379.
  • Bridges can use asynchronous DNS lookups on systems with glibc. This can be enabled at compile time using WITH_ADNS=yes.

Clients

  • Use of --ciphers no longer requires you to also pass --tls-version. Closes #380.

Client library

  • Clients can now use TLS with IPv6.
  • Fix potential socket leakage when reconnecting. Closes #304.
  • Fix potential negative timeout being passed to pselect. Closes #329.