- Update to version 2.0.12
* Includes security fixes for
CVE-2021-34434 (bsc#1190048) and CVE-2020-13849 (bsc#1190101)
Security :
* An MQTT v5 client connecting with a large number of
user-property properties could cause excessive CPU usage,
leading to a loss of performance and possible denial of
service. This has been fixed.
* Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1
connections. These clients are now rejected if their keepalive
value exceeds max_keepalive. This option allows CVE-2020-13849,
which is for the MQTT v3.1.1 protocol itself rather than an
implementation, to be addressed.
* Using certain listener related configuration options e.g.
`cafile`, that apply to the default listener without defining
any listener would cause a remotely accessible listener to be
opened that was not confined to the local machine but did have
anonymous access enabled, contrary to the documentation.
This has been fixed. Closes #2283.
* CVE-2021-34434: If a plugin had granted ACL subscription access
to a durable/non-clean-session client, then removed that
access,the client would keep its existing subscription. This
has been fixed.
* Incoming QoS 2 messages that had not completed the QoS flow
were not being checked for ACL access when a clean
session=False client was reconnecting. This has been fixed.
Broker:
* Fix possible out of bounds memory reads when reading a
corrupt/crafted configuration file. Unless your configuration
file is writable by untrusted users this is not a risk.