Overview
Request 1135794 accepted
- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
CVE-2023-0809, bsc#1215864, CVE-2023-3592):
* Fix crash on subscribe under certain unlikely conditions.
* Fix mosquitto_rr not honouring `-R`. Closes #2893.
* Fix `max_queued_messages 0` stopping clients from receiving
messages.
* Fix `max_inflight_messages` not being set correctly.
* Fix `mosquitto_passwd -U` backup file creation.
* CVE-2023-28366: Fix memory leak in broker when clients send
multiple QoS 2 messages with the same message ID, but then
never respond to the PUBREC commands.
* CVE-2023-0809: Fix excessive memory being allocated based on
malicious initial packets that are not CONNECT packets.
* CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
packets with a will message that contains invalid property
types.
* Broker will now reject Will messages that attempt to publish
to $CONTROL/.
* Broker now validates usernames provided in a TLS certificate
or TLS-PSK identity are valid UTF-8.
* Fix potential crash when loading invalid persistence file.
* Library will no longer allow single level wildcard
certificates, e.g. *.com
* Fix $SYS messages being expired after 60 seconds and hence
unchanged values disappearing.
* Fix some retained topic memory not being cleared immediately
after used.
* Fix error handling related to the `bind_interface` option.
* Fix std* files not being redirected when daemonising, when
built with assertions removed.
- Created by dirkmueller
- In state accepted
Request History
dirkmueller created request
- update to 2.0.18 (bsc#1214918, CVE-2023-28366, bsc#1215865,
CVE-2023-0809, bsc#1215864, CVE-2023-3592):
* Fix crash on subscribe under certain unlikely conditions.
* Fix mosquitto_rr not honouring `-R`. Closes #2893.
* Fix `max_queued_messages 0` stopping clients from receiving
messages.
* Fix `max_inflight_messages` not being set correctly.
* Fix `mosquitto_passwd -U` backup file creation.
* CVE-2023-28366: Fix memory leak in broker when clients send
multiple QoS 2 messages with the same message ID, but then
never respond to the PUBREC commands.
* CVE-2023-0809: Fix excessive memory being allocated based on
malicious initial packets that are not CONNECT packets.
* CVE-2023-3592: Fix memory leak when clients send v5 CONNECT
packets with a will message that contains invalid property
types.
* Broker will now reject Will messages that attempt to publish
to $CONTROL/.
* Broker now validates usernames provided in a TLS certificate
or TLS-PSK identity are valid UTF-8.
* Fix potential crash when loading invalid persistence file.
* Library will no longer allow single level wildcard
certificates, e.g. *.com
* Fix $SYS messages being expired after 60 seconds and hence
unchanged values disappearing.
* Fix some retained topic memory not being cleared immediately
after used.
* Fix error handling related to the `bind_interface` option.
* Fix std* files not being redirected when daemonising, when
built with assertions removed.
mnhauke accepted request
Thanks a lot!
