-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : mosquitto Version : 0.15-2+deb7u1 CVE ID : CVE-2017-7650 Debian Bug :
CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use. For Debian 7 "Wheezy", these problems have been fixed in version 0.15-2+deb7u1. We recommend that you upgrade your mosquitto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS thanks, Gianfranco -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZLTT2AAoJEPNPCXROn13Z8EAQANm1Z5J32IieOvEK8p2QMvZ3 UhS9zFZwQ5g6qovkL9thwa6HtjDrU/NtZoLPDNbnyinvqxT7ijwS4rRW0gjMxks/ V6cDQMFuJcTx2L22KjcJlgRaxJ27Msn684HNYyvWeyGpYACrepF+0w7jmHr3h+K0 OeWeUple/Of1VjXhl0RFguKiO5Vk4NUI6m6DZRr0tXfe4b4x9Y9uDOet0zEyPNdT RS/Q+YCc/bfh5zX/ctlu7hKhP6z3FTqVlgphhU/GOJ5BnTa5KbqkoiiIEYkGNExx MwCjB0t7saEgLDkjjt5ZrMsqmrEWTeuPGMXGcS9EQdNIxSzMFJMVX514DW/3SGek Vqkp72Ww3zG9XCMB7V28yebWGb4R8m23XiWkq/YZ/m8W62Fsir/QXAbwlTDgjskI f79FynYSp/4BGgmmc/8iLKMzS57NEE/mKC/5LhSIVutvOIRxASp+dXmDVrO7Qgo8 JzJxz9CHlGqfM+zP3IJ2bZykiPaZWEOY2UDHM21eDxipy0+4g7ajTDxI9qdc/6k8 INdUAi916agYr6FV71KLaVmpFVnIeoUt/o5X945y2E36xgdTfvKGVLjlPFtHwJyL q4vGOMk7HYJoWQruMvNc0Wi6Q9nFNVZFv6wmN44r+zUhQaf8tOUEiJhVEbVD3ghv HsuZL3+dJISGI50WtIgB =Zxz+ -----END PGP SIGNATURE-----
