[SECURITY] [DLA 961-1] mosquitto security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 961-1] mosquitto security update
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Tue, 30 May 2017 10:34:48 +0200
Message-id: <[🔎] 42c4ec82-394a-f643-f130-761034a70eb1@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
In-reply-to: <98915c03-9b75-c3a3-1a0e-845694214f86@debian.org>
References: <98915c03-9b75-c3a3-1a0e-845694214f86@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : mosquitto
Version        : 0.15-2+deb7u1
CVE ID         : CVE-2017-7650
Debian Bug     :

CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’.
This allows locally or remotely connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use,
or potentially where third party plugins are in use.

For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u1.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

thanks,

Gianfranco


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZLS6nAAoJEPNPCXROn13ZP24P/iCCzELASHl/mF0yqCrkGVwo
emvDALFFgSKhrKy33FAF8MlGpKQiTSkELMva8J5FVQ5pSdCoAknOtXHVDvYCUAsg
kKzFfiUq0nt5DiAKlFYh3RtKuS3v+GKSFdsa9JVXZV7BLT4wHZ8FruWObf/edRDv
F7g98UgfSNG0n0InPMeoVAt7xkVXos2iGu9hTbbaGA0LqkU89JvKaRcVMUIWD8CS
QouGfZuIZNnVwOGludQDOpWPk+jBedV2H3rLOzOGPvkBs56fLZPi4piat3kjkf/b
i0NkdQIRXemyCjdHdOtDdMZ/SpXp+IEQyo6cxW4608aX5FyVgcoTLXo/mT2Rn+jj
WPp8CLC356UA5Gqiaov0QU6JQO+TevauWHPch/FEAF+nIrlZHWTFPHUVzGqvec/E
SofzVK5fzvtb72Wzdq0qxaMBNkBxa8Da2of6r4uNnifPyB4qH/tRE5XJBK9NDle8
WM9zHg8a7PoAfEYhx3wpmSjQdFJQK/2O560ezHObzyRPZg+6eIk83xCJ9UXV/w8o
md89sr0rS3LclwoLI9alo2TYdTajY9jLFVR7tv2apra4FUT2J1P5BNv4d+KWCIzo
ZgbZRVHf4WcGTlQAMdeLKKb2ExjOwjznVQVpOI+dkW9sReJcF88uOD8aG2hyRp0U
fKTSFxMALnVqn28PY96+
=6lJ+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: timetable for LTS support
Next by Date: libpodofo security update
Previous by thread: Re: timetable for LTS support
Next by thread: libpodofo security update
Index(es):
- Date
- Thread