[SECURITY] [DLA 961-1] mosquitto security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : mosquitto
Version : 0.15-2+deb7u1
CVE ID : CVE-2017-7650
Debian Bug :
CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’.
This allows locally or remotely connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control plugins for Mosquitto.
The vulnerability only comes into effect where pattern based ACLs are in use,
or potentially where third party plugins are in use.
For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u1.
We recommend that you upgrade your mosquitto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
thanks,
Gianfranco
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZLTT2AAoJEPNPCXROn13Z8EAQANm1Z5J32IieOvEK8p2QMvZ3
UhS9zFZwQ5g6qovkL9thwa6HtjDrU/NtZoLPDNbnyinvqxT7ijwS4rRW0gjMxks/
V6cDQMFuJcTx2L22KjcJlgRaxJ27Msn684HNYyvWeyGpYACrepF+0w7jmHr3h+K0
OeWeUple/Of1VjXhl0RFguKiO5Vk4NUI6m6DZRr0tXfe4b4x9Y9uDOet0zEyPNdT
RS/Q+YCc/bfh5zX/ctlu7hKhP6z3FTqVlgphhU/GOJ5BnTa5KbqkoiiIEYkGNExx
MwCjB0t7saEgLDkjjt5ZrMsqmrEWTeuPGMXGcS9EQdNIxSzMFJMVX514DW/3SGek
Vqkp72Ww3zG9XCMB7V28yebWGb4R8m23XiWkq/YZ/m8W62Fsir/QXAbwlTDgjskI
f79FynYSp/4BGgmmc/8iLKMzS57NEE/mKC/5LhSIVutvOIRxASp+dXmDVrO7Qgo8
JzJxz9CHlGqfM+zP3IJ2bZykiPaZWEOY2UDHM21eDxipy0+4g7ajTDxI9qdc/6k8
INdUAi916agYr6FV71KLaVmpFVnIeoUt/o5X945y2E36xgdTfvKGVLjlPFtHwJyL
q4vGOMk7HYJoWQruMvNc0Wi6Q9nFNVZFv6wmN44r+zUhQaf8tOUEiJhVEbVD3ghv
HsuZL3+dJISGI50WtIgB
=Zxz+
-----END PGP SIGNATURE-----
Reply to: