Version 1.5.6 released

Mosquitto 1.5.6 has been released to address three potential security vulnerabilities.

CVE-2018-12551

If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12551

CVE-2018-12550

If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12550

CVE-2018-12546

If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12546

Version 1.5.6 Changes

The list of other fixes addressed in version 1.5.6 is:

Broker

  • Fixed comment handling for config options that have optional arguments.
  • Improved documentation around bridge topic remapping.
  • Handle mismatched handshakes (e.g. QoS1 PUBLISH with QoS2 reply) properly.
  • Fix spaces not being allowed in the bridge remote_username option. Closes #1131.
  • Allow broker to always restart on Windows when using log_dest file. Closes #1080.
  • Fix Will not being sent for Websockets clients. Closes #1143.
  • Windows: Fix possible crash when client disconnects. Closes #1137.
  • Fixed durable clients being unable to receive messages when offline, when per_listener_settings was set to true. Closes #1081.
  • Add log message for the case where a client is disconnected for sending a topic with invalid UTF-8. Closes #1144.

Library

  • Fix TLS connections not working over SOCKS.
  • Don't clear SSL context when TLS connection is closed, meaning if a user provided an external SSL_CTX they have less chance of leaking references.

Build

  • Fix comparison of boolean values in CMake build. Closes #1101.
  • Fix compilation when openssl deprecated APIs are not available. Closes #1094.
  • Man pages can now be built on any system. Closes #1139.

Version 1.5.5 released

This is a bugfix and security release.

Version 1.5.5 changes

Security

  • If per_listener_settings is set to true, then the acl_file setting was ignored for the "default listener" only. This has been fixed. This does not affect any listeners defined with the listener option. Closes #1073. This is now tracked as CVE-2018-20145.

Broker

  • Add socket_domain option to allow listeners to disable IPv6 support. This is required to work around a problem in libwebsockets that means sockets only listen on IPv6 by default if IPv6 support is compiled in. Closes #1004.
  • When using ADNS, don't ask for all network protocols when connecting, because this can lead to confusing "Protocol not supported" errors if the network is down. Closes #1062.
  • Fix outgoing retained messages not being sent by bridges on initial connection. Closes #1040.
  • Don't reload auth_opt_ options on reload, to match the behaviour of the other plugin options. Closes #1068.
  • Print message on error when installing/uninstalling as a Windows service.
  • All non-error connect/disconnect messages are controlled by the connection_messages option. Closes #772. Closes #613. Closes #537.

Library

  • Fix reconnect delay backoff behaviour. Closes #1027.
  • Don't call on_disconnect() twice if keepalive tests fail. Closes #1067.

Client

  • Always print leading zeros in mosquitto_sub when output format is hex. Closes #1066.

Build

  • Fix building where TLS-PSK is not available. Closes #68.

MQTT 5 progress

Development of support for MQTT 5 is ongoing and making good progress, but has been substantially delayed due to other non-Mosquitto work having to take priority.

It is possible to test the current state of MQTT 5 support by using the mqtt5 branch of the repository. Please note that this is very much a work in progress, so parts are incomplete and interfaces may yet change. The client library in particular has had to have an increase in functions available in order to provide the features needed whilst providing backwards compatibility. Part of the plan for the 2.0 release, which will follow after 1.6, is to consolidate the libmosquitto API with breaking changes. There are more details on the roadmap.

Current features include:

  • Support for all incoming and outgoing packets, although not everything is processed.
  • Support for sending and receiving all properties, with not all properties processed.
  • Client support for setting properties
  • Request/response support (client cannot process incoming correlation data)
  • Retain availability
  • Message expiry interval support
  • Server support for assigned client identifiers
  • Payload format indicator support
  • Content-type support
  • Basic topic alias support from client to broker
  • Lots of new tests

Both mosquitto_pub and mosquitto_sub support setting properties on the command line, for example:

mosquitto_sub -t topic -v -D connect session-expiry-interval 60 -D connect user-property key value -D subscribe user-property sub-key sub-value
mosquitto_pub -t topic -m '{"key":"value"}' -D publish content-type "application/json"
./sensor_read.sh | mosquitto_pub -t topic -l  -D publish topic-alias 1

Further updates will be posted when more features are available.


Version 1.5.4 released

This is a bugfix and security release.

Version 1.5.4 changes

Security

  • When using a TLS enabled websockets listener with require_certificate enabled, the mosquitto broker does not correctly verify client certificates. This is now fixed. All other security measures operate as expected, and in particular non-websockets listeners are not affected by this. Closes #996.

Broker

  • Process all pending messages even when a client has disconnected. This means a client that send a PUBLISH then DISCONNECT quickly, then disconnects will have its DISCONNECT message processed properly and so no Will will be sent. Closes #7.
  • $SYS/broker/clients/disconnected should never be negative. Closes #287.
  • Give better error message if a client sends a password without a username. Closes #1015.
  • Fix bridge not honoring restart_timeout. Closes #1019.
  • Don't disconnect a client if an auth plugin denies access to SUBSCRIBE. Closes #1016.

Library

  • Fix memory leak that occurred if mosquitto_reconnect() was used when TLS errors were present. Closes #592.
  • Fix TLS connections when using an external event loop with mosquitto_loop_read() and mosquitto_write(). Closes #990.

Build

  • Fix clients not being compiled with threading support when using CMake. Closes #983.
  • Header fixes for FreeBSD. Closes #977.
  • Use _GNU_SOURCE to fix build errors in websockets and getaddrinfo usage. Closes [#862] and #933.
  • Fix builds on QNX 7.0.0. Closes #1018.

Security advisory: CVE-2018-12543

Mosquitto 1.5.3 has been released to address a security vulnerability. It also includes other bug fixes.

CVE-2018-12543

A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as CVE-2018-12543.

If a message received by the broker has a topic that begins with $, but that does not begin $SYS, an assert is triggered that should otherwise not be accessible, causing Mosquitto to exit.

The issue is fixed in Mosquitto 1.5.3. Patches for older versions are available at https://mosquitto.org/files/cve/2018-12543

The fix addresses the problem by reverting a commit that intended to remove some unused checks, but also stopped part of the topic hierarchy being created.

Version 1.5.3 Changes

The complete list of fixes addressed in version 1.5.3 is:

Security

  • Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and Mosquitto will exit.

Broker

  • Elevate log level to warning for situation when socket limit is hit.
  • Remove requirement to use user root in snap package config files.
  • Fix retained messages not sent by bridges on outgoing topics at the first connection. Closes #701.
  • Documentation fixes. Closes #520, #600.
  • Fix duplicate clients being added to by_id hash before the old client was removed. Closes #645.
  • Fix Windows version not starting if include_dir did not contain any files. Closes #566.

Build

  • Various fixes to ease building.

Version 1.6.6 released

Mosquitto 1.6.6 and 1.5.9 have been released to address two security vulnerabilities.

Titles and links will be updated once the CVE numbers are assigned.

CVE-2019-11779

A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive, known as CVE-2019-11779.

If a client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions are available at https://mosquitto.org/files/cve/2019-11779

The fix addresses the problem by restricting the allowed number of topic hierarchy levels to 200. An alternative fix is to increase the size of the stack by a small amount.

CVE-2019-11778

A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778

If an MQTT v5 client connects to Mosquitto, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

The issue is fixed in Mosquitto 1.6.5. Patches for older versions are available at https://mosquitto.org/files/cve/2019-11778

Version 1.6.6 Changes

The complete list of fixes addressed in version 1.6.6 is:

Security

  • Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Closes #1412.

Broker

  • Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Closes #1412.
  • mosquitto_passwd now returns 1 when attempting to update a user that does not exist. Closes #1414.

Version 1.5.2 released

This is a bugfix release.

Version 1.5.2 changes

Broker

  • Fix build when using WITH_ADNS=yes.
  • Fix incorrect call to setsockopt() for TCP_NODELAY. Closes #941.
  • Fix excessive CPU usage when the number of sockets exceeds the system limit. Closes #948.
  • Fix for bridge connections when using WITH_ADNS=yes.
  • Fix round_robin false behaviour. Closes #481.
  • Fix segfault on HUP when bridges and security options are configured. Closes #965.

Library

  • Fix situation where username and password is used with SOCKS5 proxy. Closes #927.
  • Fix SOCKS5 behaviour when passing IP addresses. Closes #927.

Build

  • Make it easier to build without bundled uthash.h using WITH_BUNDLED_DEPS=no.
  • Fix build with OPENSSL_NO_ENGINE. Closes #932.

Version 1.5.1 released

This is a bugfix release.

Packaging changes

  • The snap package now has support for websockets included.
  • The Windows packages have changed.
    • Support for Windows XP was dropped in Mosquitto 1.5, so the need for the Cygwin build has gone, and this has been dropped.
    • There are now 64-bit and 32-bit native packages.
    • Websockets support is included.
    • Threading support is not included in libmosquitto to simplify installation, alternative solutions are being looked into for the future.
    • The only external dependency is now OpenSSL.

Version 1.5.1 changes

Broker

  • Fix plugin cleanup function not being called on exit of the broker. Closes #900.
  • Print more OpenSSL errors when loading certificates/keys fail.
  • Use AF_UNSPEC etc. instead of PF_UNSPEC to comply with POSIX. Closes #863.
  • Remove use of AI_ADDRCONFIG, which means the broker can be used on systems where only the loopback interface is defined. Closes #869, Closes #901.
  • Fix IPv6 addresses not being able to be used as bridge addresses. Closes #886.
  • All clients now time out if they exceed their keepalive*1.5, rather than just reach it. This was inconsistent in two places.
  • Fix segfault on startup if bridge CA certificates could not be read. Closes #851.
  • Fix problem opening listeners on Pi caused by unsigned char being default. Found via #849.
  • ACL patterns that do not contain either %c or %u now produce a warning in the log. Closes #209.
  • Fix bridge publishing failing when per_listener_settings was true. Closes #860.
  • Fix use_identity_as_username true not working. Closes #833.
  • Fix UNSUBACK messages not being logged. Closes #903.
  • Fix possible endian issue when reading the memory_limit option.
  • Fix building for libwebsockets < 1.6.
  • Fix accessor functions for username and client id when used in plugin auth check.

Library

  • Fix some places where return codes were incorrect, including to the on_disconnect() callback. This has resulted in two new error codes, MOSQ_ERR_KEEPALIVE and MOSQ_ERR_LOOKUP.
  • Fix connection problems when mosquitto_loop_start() was called before mosquitto_connect_async(). Closes #848.

Clients

  • When compiled using WITH_TLS=no, the default port was incorrectly being set to -1. This has been fixed.
  • Fix compiling on Mac OS X <10.12. Closes #813 and #240.

Build

  • Fixes for building on NetBSD. Closes #258.
  • Fixes for building on FreeBSD.
  • Add support for compiling with static libwebsockets library.

Updated Debian Repository Backend

The backend software for administering the Debian repository at https://repo.mosquitto.org/ has been migrated from reprepro to aptly. This has the benefit of allowing multiple versions of a package to remain in the repository.

For mosquitto, this now means that old versions of the Debian packages will remain available even after newer versions are published, and so you can depend on a particular version. The recommendation is always to use the latest version of course.

This change should be transparent to all current users, but there is the possibility that something is different between the two repository tools. If you do find a problem, please let us know.

The repository now has builds for versions 1.4.15 and 1.5.


Press release

I am pleased to announce that I am being paid to work on Mosquitto by Cedalo AG. I will be leaving my current job at the end of June this year, but have already started work for Cedalo on a limited basis.

The press release for this change is below:

New 1.5 release, MQTT 5.0 roadmap and commercial sponsor for Open-Source Eclipse Mosquitto MQTT Broker

Open-Source MQTT Broker Version 1.5 released – Estimate for availability of MQTT 5.0 compliant version – German based Cedalo AG becomes commercial sponsor for future Mosquitto Open Source development

A new version of the open source Eclipse Mosquitto MQTT broker is available on the Mosquitto website at mosquitto.org. Mosquitto version 1.5 brings a host of changes to the broker, including performance improvements and more flexible authentication and access control, as well as numerous bug fixes. The client library has added some helper functions to allow the creation of extremely simple MQTT clients.

The initiator and core developer of the Mosquitto project is now employed by the German based company Cedalo AG (www.cedalo.com). Cedalo has hired Roger Light to sponsor the further development of Mosquitto and to accelerate the public availability of a powerful MQTT broker. Cedalo is the creator of the end-user oriented IoT modelling tool “Streamsheets”.

With the new sponsorship the project is now able to accelerate the path towards new releases. The next version of Mosquitto will add support for MQTT version 5, which is the most substantial revision of the protocol since the first public specification was released. MQTT v5 adds error reporting, enhancements for scalability at the server side, features to help resource constrained clients, and extensible metadata - which is used amongst other things to introduce support for a request/response capability.

The MQTT v5 compliant release is planned for the end of August 2018.

Press Contact: Cedalo AG 79098 Freiburg, Schnewlinstr. 6

Kristian Raue Mail: presse@cedalo.com