[SECURITY] [DLA 961-1] mosquitto security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : mosquitto
Version : 0.15-2+deb7u1
CVE ID : CVE-2017-7650
Debian Bug :
CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’.
This allows locally or remotely connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control plugins for Mosquitto.
The vulnerability only comes into effect where pattern based ACLs are in use,
or potentially where third party plugins are in use.
For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u1.
We recommend that you upgrade your mosquitto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
thanks,
Gianfranco
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZLS6nAAoJEPNPCXROn13ZP24P/iCCzELASHl/mF0yqCrkGVwo
emvDALFFgSKhrKy33FAF8MlGpKQiTSkELMva8J5FVQ5pSdCoAknOtXHVDvYCUAsg
kKzFfiUq0nt5DiAKlFYh3RtKuS3v+GKSFdsa9JVXZV7BLT4wHZ8FruWObf/edRDv
F7g98UgfSNG0n0InPMeoVAt7xkVXos2iGu9hTbbaGA0LqkU89JvKaRcVMUIWD8CS
QouGfZuIZNnVwOGludQDOpWPk+jBedV2H3rLOzOGPvkBs56fLZPi4piat3kjkf/b
i0NkdQIRXemyCjdHdOtDdMZ/SpXp+IEQyo6cxW4608aX5FyVgcoTLXo/mT2Rn+jj
WPp8CLC356UA5Gqiaov0QU6JQO+TevauWHPch/FEAF+nIrlZHWTFPHUVzGqvec/E
SofzVK5fzvtb72Wzdq0qxaMBNkBxa8Da2of6r4uNnifPyB4qH/tRE5XJBK9NDle8
WM9zHg8a7PoAfEYhx3wpmSjQdFJQK/2O560ezHObzyRPZg+6eIk83xCJ9UXV/w8o
md89sr0rS3LclwoLI9alo2TYdTajY9jLFVR7tv2apra4FUT2J1P5BNv4d+KWCIzo
ZgbZRVHf4WcGTlQAMdeLKKb2ExjOwjznVQVpOI+dkW9sReJcF88uOD8aG2hyRp0U
fKTSFxMALnVqn28PY96+
=6lJ+
-----END PGP SIGNATURE-----
Reply to: