Archive for 'Releases'

Version 1.4.14 released

This is a bugfix release.

Version 1.4.13 contained a regression that meant persistence data was only being saved after client information had been freed. This release fixes that.

If you use persistence then it is strongly recommended to avoid 1.4.13 so you do not suffer data loss.

Version 1.4.13 released

This is a bugfix and security release.

Security

  • Fix CVE-2017-9868. The persistence file was readable by all local users,
    potentially allowing sensitive information to be leaked.
    This can also be fixed administratively, by restricting access to the
    directory in which the persistence file is stored.

Broker

  • Fix for poor websockets performance.
  • Fix lazy bridges not timing out for idle_timeout. Closes #417.
  • Fix problems with large retained messages over websockets. Closes #427.
  • Set persistence file to only be readable by owner, except on Windows. Closes
    #468.
  • Fix CONNECT check for reserved=0, as per MQTT v3.1.1 check MQTT-3.1.2-3.
  • When the broker stop, wills for any connected clients are now “sent”. Closes
    #477.
  • Auth plugins can be configured to disable the check for +# in usernames/client ids with the auth_plugin_deny_special_chars option. Partially closes #462.
  • Restrictions for CVE-2017-7650 have been relaxed – ‘/’ is allowed in usernames/client ids. Remainder of fix for #462.

Clients

  • Don’t use / in auto-generated client ids.

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive known as CVE-2017-7650.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

The issue is fixed in Mosquitto 1.4.12, which has just been released. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7650/

The fix addresses the problem by restricting access for clients with a ‘#’, ‘+’, or ‘/’ in their username or client id. ‘/’ has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.

Thanks to Artem Zinenko from HackerDom CTF team for finding this vulnerability and responsibly reporting it.

Complete list of fixes addressed in version 1.4.12:

Broker

  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don’t use glibc. Closes #415.
  • Fixes to readme.md.
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don’t segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650

For the final time…

This guy arrived on Tuesday, two weeks early and weighing 9lb 6oz / 4.26kg. Apologies if I’m a bit out of touch for a while.

Version 1.4.11 released

This is a bugfix release.

Broker

  • Fix crash when “lazy” type bridge attempts to reconnect. Closes #259.
  • maximum_connections now applies to websockets listeners. Closes #271.
  • Allow bridges to use TLS with IPv6.
  • Don’t error on zero length persistence files. Closes #316.
  • For http only websockets clients, close files served over http in all cases when the client disconnects. Closes #354.
  • Fix error message when websockets http_dir directory does not exist.
  • Improve password utility error message. Closes #379.
  • Bridges can use asynchronous DNS lookups on systems with glibc. This can be enabled at compile time using “WITH_ADNS=yes”.

Clients

  • Use of –ciphers no longer requires you to also pass –tls-version. Closes #380.

Client library

  • Clients can now use TLS with IPv6.
  • Fix potential socket leakage when reconnecting. Closes #304.
  • Fix potential negative timeout being passed to pselect. Closes #329.

Version 1.4.10 released

This is a bugfix release.

Broker

  • Fix TLS operation with websockets listeners and libwebsockets 2.x. Closes
    #186.
  • Don’t disconnect client on HUP before reading the pending data. Closes #7.
  • Fix some $SYS messages being incorrectly persisted. Closes #191.
  • Support OpenSSL 1.1.0.
  • Call fsync after persisting data to ensure it is correctly written. Closes
    #189.
  • Fix persistence saving of subscription QoS on big-endian machines.
  • Fix will retained flag handling on Windows. Closes #222.
  • Broker now displays an error if it is unable to open the log file. Closes
    #234.

Client library

  • Support OpenSSL 1.1.0.
  • Fixed the C++ library not allowing SOCKS support to be used. Closes #198.
  • Fix memory leak when verifying a server certificate with a subjectAltName
    section. Closes #237.

Build

  • Don’t attempt to install docs when WITH_DOCS=no. Closes #184.

Version 1.4.9 released

This is a bugfix release.

Broker

  • Ensure websockets clients that previously connected with clean session set
    to false have their queued messages delivered immediately on reconnecting.
    Closes #5.
  • Reconnecting client with clean session set to false doesn’t start with mid=1
    again.
  • Will topic isn’t truncated by one byte when using a mount_point any more.
  • Network errors are printed correctly on Windows.
  • Fix incorrect $SYS heap memory reporting when using ACLs.
  • Bridge config parameters couldn’t contain a space, this has been fixed.
    Closes #150.
  • Fix saving of persistence messages that start with a ‘/’. Closes #151.
  • Fix reconnecting for bridges that use TLS on Windows. Closes #154.
  • Broker and bridges can now cope with unknown incoming PUBACK, PUBREC,
    PUBREL, PUBCOMP without disconnecting. Closes #57.
  • Fix websockets listeners not being able to bind to an IP address. Closes
    #170.
  • mosquitto_passwd utility now correctly deals with unknown command line
    arguments in all cases. Closes #169.
  • Fix publishing of $SYS/broker/clients/maximum
  • Fix order of #includes in lib/send_mosq.c to ensure struct mosquitto doesn’t
    differ between source files when websockets is being used. Closes #180.
  • Fix possible rare crash when writing out persistence file and a client has
    incomplete messages inflight that it has been denied the right to publish.

Client library

  • Fix the case where a message received just before the keepalive timer
    expired would cause the client to miss the keepalive timer.
  • Return value of pthread_create is now checked.
  • _mosquitto_destroy should not cancel threads that weren’t created by
    libmosquitto. Closes #166.
  • Clients can now cope with unknown incoming PUBACK, PUBREC, PUBREL, PUBCOMP without disconnecting. Closes #57.
  • Fix mosquitto_topic_matches_sub() reporting matches on some invalid
    subscriptions.

Clients

  • Handle some unchecked malloc() calls. Closes #1.

Build

  • Fix string quoting in CMakeLists.txt. Closes #4.
  • Fix building on Visual Studio 2015. Closes #136.

Version 1.4.3 released

This is a bugfix release.

Broker

  • Fix incorrect bridge notification on initial connection. Closes #467096.
  • Build fixes for OpenBSD.
  • Fix incorrect behaviour for autosave_interval, most noticable for autosave_interval=1. Closes #465438.
  • Fix handling of outgoing QoS>0 messages for bridges that could not be sent because the bridge connection was down.
  • Free unused topic tree elements. Closes #468987.
  • Fix some potential memory leaks. Closes #470253.
  • Fix potential crash on libwebsockets error.

Client library

  • Add missing error strings to mosquitto_strerror.
  • Handle fragmented TLS packets without a delay. Closes #470660.
  • Fix incorrect loop timeout being chosen when using threaded interface and keepalive = 0. Closes #471334.
  • Increment inflight messages count correctly. Closes #474935.

Clients

  • Report error string on connection failure rather than error code.

Version 1.4.2 released

This is a bugfix release.

Broker

  • Fix bridge prefixes only working for the first outgoing message. Closes #464437.
  • Fix incorrect bridge connection notifications on local broker.
  • Fix persistent db writing on Windows. Closes #464779.
  • ACLs are now checked before sending a will message.
  • Fix possible crash when using bridges on Windows. Closes #465384.
  • Fix parsing of auth_opt_ arguments with extra spaces/tabs.
  • Broker will return CONNACK rc=5 when a username/password is not authorised. This was being incorrectly set as rc=4.
  • Fix handling of payload lengths>4096 with websockets.

Client library

  • Inflight message count wasn’t being decreased for outgoing messages using QoS 2, meaning that only up to 20 QoS 2 messages could be sent. This has been fixed. Closes #464436.
  • Fix CMake dependencies for C++ wrapper building. Closes #463884.
  • Fix possibility of select() being called with a socket that is >FD_SETSIZE. This is a fix for #464632 that will be followed up by removing the select() call in a future version.
  • Fix calls to mosquitto_connect*_async() not completing.

Version 1.4.1 released

This is a bugfix and security release. Users of mosquitto 1.4 are strongly advised to upgrade. Upgrading from earlier versions is recommended but not as important.

Broker

  • Fix possible crash under heavy network load. Closes #463241. This bug only affects version 1.4.
  • Fix possible crash when using pattern ACLs.
  • Fix problems parsing config strings with multiple leading spaces. Closes #462154.
  • Websockets clients are now periodically disconnected if they have not maintained their keepalive timer. Closes #461619.
  • Fix possible minor memory leak on acl parsing.

Client library

  • Inflight limits should only apply to outgoing messages. Closes #461620.
  • Fix reconnect bug on Windows. Closes #463000.
  • Return -1 on error from mosquitto_socket(). Closes #461705.
  • Fix crash on multiple calls to mosquitto_lib_init/mosquitto_lib_cleanup. Closes #462780.
  • Allow longer paths on Windows. Closes #462781.
  • Make _mosquitto_mid_generate() thread safe. Closes #463479.