[Buildroot] [PATCH] package/mosquitto: security bump to version 1.6.6

Peter Korsgaard peter at korsgaard.com
Wed Sep 18 15:42:12 UTC 2019


>>>>> "Titouan" == Titouan Christophe <titouan.christophe at railnova.eu> writes:

 > Hello Peter and all,
 > On 9/18/19 4:38 PM, Peter Korsgaard wrote:
 >> Fixes a security issue. From the annoncement:
 >> 
 >> A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive.
 >> 
 >> If a client sends a SUBSCRIBE packet containing a topic that consists of
 >> approximately 65400 or more '/' characters, i.e.  the topic hierarchy
 >> separator, then a stack overflow will occur.
 >> 
 >> The issue is fixed in Mosquitto 1.6.6 and 1.5.9.  Patches for older versions
 >> are available at https://mosquitto.org/files/cve/2019-hier
 >> 
 >> The fix addresses the problem by restricting the allowed number of topic
 >> hierarchy levels to 200.  An alternative fix is to increase the size of the
 >> stack by a small amount.
 >> 
 >> https://mosquitto.org/blog/2019/09/version-1-6-6-released/
 >> 
 >> Also notice that 1.6.5 silently fixed a security issue:
 >> 
 >> CVE-2019-11778
 >> 
 >> A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778
 >> 
 >> If an MQTT v5 client connects to Mosquitto, sets a last will and testament,
 >> sets a will delay interval, sets a session expiry interval, and the will
 >> delay interval is set longer than the session expiry interval, then a use
 >> after free error occurs, which has the potential to cause a crash in some
 >> situations.
 >> 

 > Do you also intend to backport this into 2019.02 ?

Yes, but 2019.02.x uses 1.5.8, so there it makes more sense to move to
1.5.9.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list