Hello community, here is the log from the commit of package mosquitto for openSUSE:Factory checked in at 2019-02-27 17:29:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mosquitto (Old) and /work/SRC/openSUSE:Factory/.mosquitto.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mosquitto" Wed Feb 27 17:29:26 2019 rev:8 rq:679569 version:1.5.7 Changes: -------- --- /work/SRC/openSUSE:Factory/mosquitto/mosquitto.changes 2018-10-29 14:58:32.681987555 +0100 +++ /work/SRC/openSUSE:Factory/.mosquitto.new.28833/mosquitto.changes 2019-02-27 17:29:30.827312928 +0100 @@ -1,0 +2,126 @@ +Mon Feb 18 19:58:45 UTC 2019 - Martin Hauke <[email protected]> + +- Use HTTPS for all URLs +- Verify source signature + +------------------------------------------------------------------- +Thu Feb 14 09:51:33 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 1.5.7 + Broker: + - Ensure that an error occurs if `per_listener_settings true` is + given after other security options. + - Fix case where old unreferenced msg_store messages were being + saved to the persistence file, bloating its size unnecessarily. + Library: + - Fix `mosquitto_topic_matches_sub()` not returning MOSQ_ERR_INVAL + for invalid subscriptions like `topic/#abc`. This only affects + the return value, not the match/no match result, which was + already correct. + +------------------------------------------------------------------- +Wed Feb 13 21:14:36 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 1.5.6 + Security: + * Fix CVE-2018-12551 (bsc#1125021): If Mosquitto is configured to + use a password file for authentication, any malformed data in + the password file will be treated as valid. This typically means + that the malformed data becomes a username and no password. + If this occurs, clients can circumvent authentication and get + access to the broker by using the malformed username. In + particular, a blank line will be treated as a valid empty username. + Other security measures are unaffected. Users who have only used + the mosquitto_passwd utility to create and modify their password + files are unaffected by this vulnerability. + * Fix CVE-2018-12550 (bsc#1125021): If an ACL file is empty, or + has only blank lines or comments, then mosquitto treats the ACL + file as not being defined, which means that no topic access is + denied. Although denying access to all topics is not a useful + configuration, this behaviour is unexpected and could lead + to access being incorrectly granted in some circumstances. This + is now fixed. + * Fix CVE-2018-12546 (bsc#1125019): If a client publishes a retained + message to a topic that they have access to, and then their access + to that topic is revoked, the retained message will still be + delivered to future subscribers. This behaviour may be undesirable + in some applications, so a configuration option `check_retain_source` + has been introduced to enforce checking of the retained message + source on publish. + Broker: + * Fixed comment handling for config options that have optional + arguments. + * Improved documentation around bridge topic remapping. + * Handle mismatched handshakes (e.g. QoS1 PUBLISH with QoS2 + reply) properly. + * Fix spaces not being allowed in the bridge remote_username + option. + * Allow broker to always restart on Windows when using + `log_dest file`. + * Fix Will not being sent for Websockets clients. + * Windows: Fix possible crash when client disconnects. + * Fixed durable clients being unable to receive messages when + offline, when per_listener_settings was set to true. + * Add log message for the case where a client is disconnected for + sending a topic with invalid UTF-8. + Library: + * Fix TLS connections not working over SOCKS. + * Don't clear SSL context when TLS connection is closed, meaning + if a user provided an external SSL_CTX they have less chance of + leaking references. + +------------------------------------------------------------------- +Mon Dec 17 20:15:50 UTC 2018 - [email protected] + +- FIX CVE-2018-20145: mosquitto: ACL bypass (bnc#1119536) +- Update to version 1.5.5 + Security: + * If `per_listener_settings` is set to true, then the `acl_file` setting was + ignored for the "default listener" only. This has been fixed. This does not + affect any listeners defined with the `listener` option. + Broker: + * Add `socket_domain` option to allow listeners to disable IPv6 support. + This is required to work around a problem in libwebsockets that means + sockets only listen on IPv6 by default if IPv6 support is compiled in. + * When using ADNS, don't ask for all network protocols when connecting, + because this can lead to confusing "Protocol not supported" errors if the + network is down. + * Fix outgoing retained messages not being sent by bridges on initial + connection. + * Don't reload auth_opt_ options on reload, to match the behaviour of the + other plugin options. + * Print message on error when installing/uninstalling as a Windows service. + * All non-error connect/disconnect messages are controlled by the + `connection_messages` option. + Library: + * Fix reconnect delay backoff behaviour. + * Don't call on_disconnect() twice if keepalive tests fail. + Client: + * Always print leading zeros in mosquitto_sub when output format is hex. + Build: + * Fix building where TLS-PSK is not available. + +- Update to version 1.5.4 + Security: + * When using a TLS enabled websockets listener with "require_certificate" + enabled, the mosquitto broker does not correctly verify client certificates. + This is now fixed. All other security measures operate as expected, and in + particular non-websockets listeners are not affected by this. + Broker: + * Process all pending messages even when a client has disconnected. This means + a client that send a PUBLISH then DISCONNECT quickly, then disconnects will + have its DISCONNECT message processed properly and so no Will will be sent. + * $SYS/broker/clients/disconnected should never be negative. + * Give better error message if a client sends a password without a username. + * Fix bridge not honoring restart_timeout. + * Don't disconnect a client if an auth plugin denies access to SUBSCRIBE. + Library: + * Fix memory leak that occurred if mosquitto_reconnect() was used when TLS + errors were present. + * Fix TLS connections when using an external event loop with + mosquitto_loop_read() and mosquitto_write(). + Build: + * Fix clients not being compiled with threading support when using CMake. + * Use _GNU_SOURCE to fix build errors in websockets and getaddrinfo usage. + +------------------------------------------------------------------- Old: ---- mosquitto-1.5.3.tar.gz New: ---- mosquitto-1.5.7.tar.gz mosquitto-1.5.7.tar.gz.sig mosquitto.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mosquitto.spec ++++++ --- /var/tmp/diff_new_pack.BtEPdk/_old 2019-02-27 17:29:31.451312704 +0100 +++ /var/tmp/diff_new_pack.BtEPdk/_new 2019-02-27 17:29:31.451312704 +0100 @@ -1,7 +1,7 @@ # # spec file for package mosquitto # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -27,13 +27,15 @@ %endif %bcond_without websockets Name: mosquitto -Version: 1.5.3 +Version: 1.5.7 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0 Group: Productivity/Networking/Other -URL: http://mosquitto.org/ -Source: http://mosquitto.org/files/source/mosquitto-%{version}.tar.gz +URL: https://mosquitto.org/ +Source: https://mosquitto.org/files/source/mosquitto-%{version}.tar.gz +Source98: https://mosquitto.org/files/source/mosquitto-%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.sig +Source99: %{name}.keyring Source1: mosquitto.service Source2: mosquitto.fw Source4: README-conf-d ++++++ mosquitto-1.5.3.tar.gz -> mosquitto-1.5.7.tar.gz ++++++ ++++ 6127 lines of diff (skipped)
