[SECURITY] [DLA 961-1] mosquitto security update

[Gianfranco Costamagna]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : mosquitto
Version        : 0.15-2+deb7u1
CVE ID         : CVE-2017-7650
Debian Bug     :

CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their 
username/client id to ‘#’ or ‘+’.
This allows locally or remotely connected clients to access MQTT topics that 
they do have the rights to.
The same issue may be present in third party authentication/access control 
plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use,
or potentially where third party plugins are in use.

For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u1.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

thanks,

Gianfranco


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZLS6nAAoJEPNPCXROn13ZP24P/iCCzELASHl/mF0yqCrkGVwo
emvDALFFgSKhrKy33FAF8MlGpKQiTSkELMva8J5FVQ5pSdCoAknOtXHVDvYCUAsg
kKzFfiUq0nt5DiAKlFYh3RtKuS3v+GKSFdsa9JVXZV7BLT4wHZ8FruWObf/edRDv
F7g98UgfSNG0n0InPMeoVAt7xkVXos2iGu9hTbbaGA0LqkU89JvKaRcVMUIWD8CS
QouGfZuIZNnVwOGludQDOpWPk+jBedV2H3rLOzOGPvkBs56fLZPi4piat3kjkf/b
i0NkdQIRXemyCjdHdOtDdMZ/SpXp+IEQyo6cxW4608aX5FyVgcoTLXo/mT2Rn+jj
WPp8CLC356UA5Gqiaov0QU6JQO+TevauWHPch/FEAF+nIrlZHWTFPHUVzGqvec/E
SofzVK5fzvtb72Wzdq0qxaMBNkBxa8Da2of6r4uNnifPyB4qH/tRE5XJBK9NDle8
WM9zHg8a7PoAfEYhx3wpmSjQdFJQK/2O560ezHObzyRPZg+6eIk83xCJ9UXV/w8o
md89sr0rS3LclwoLI9alo2TYdTajY9jLFVR7tv2apra4FUT2J1P5BNv4d+KWCIzo
ZgbZRVHf4WcGTlQAMdeLKKb2ExjOwjznVQVpOI+dkW9sReJcF88uOD8aG2hyRp0U
fKTSFxMALnVqn28PY96+
=6lJ+
-----END PGP SIGNATURE-----