Hello community, here is the log from the commit of package mosquitto for openSUSE:Leap:15.2 checked in at 2020-01-17 12:01:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/mosquitto (Old) and /work/SRC/openSUSE:Leap:15.2/.mosquitto.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mosquitto" Fri Jan 17 12:01:42 2020 rev:18 rq:763638 version:1.6.8 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/mosquitto/mosquitto.changes 2020-01-15 15:30:59.958763571 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.mosquitto.new.26092/mosquitto.changes 2020-01-17 12:01:43.436511545 +0100 @@ -2 +2 @@ -Sat Sep 21 20:03:23 UTC 2019 - Martin Hauke <[email protected]> +Fri Nov 29 18:34:49 UTC 2019 - Martin Hauke <[email protected]> @@ -4,2 +4,269 @@ -- Add patch to fix security issue: CVE-2019-11779 - * mosquitto-1.5.x-cve-2019-11779.patch +- Update to version 1.6.8 + Broker: + * Various fixes for `allow_zero_length_clientid` config, where + this option was not being set correctly. + * Fix incorrect memory tracking causing problems with + memory_limit option. + * Fix subscription topics being limited to 200 characters instead + of 200 hierarchy levels. + * Only a single CRL could be loaded at once. This has been fixed. + * Fix problems with reloading config when `per_listener_settings` + was true. + * Fix retained messages with an expiry interval not being expired + after being restored from persistence. + * Fix messages with an expiry interval being sent without an + expiry interval property just before they were expired. + * Fix TLS Websockets clients not receiving messages after taking + over a previous connection. + * Fix MQTT 3.1.1 clients using clean session false, or MQTT 5.0 + clients using session-expiry-interval set to infinity never + expiring, even when the global `persistent_client_expiration` + option was set. + Client library: + * Fix publish properties not being passed to on_message_v5 + callback for QoS 2 messages. + * Fix documentation issues in mosquitto.h. + * Document `mosquitto_connect_srv()`. + Clients: + * Fix duplicate cfg definition in rr_client. + * Fix `mosquitto_pub -l` hang when stdin stream ends. + * Fix `mosquitto_pub -l` not sending the final line of stdin if + it does not end with a new line. + * Make documentation for `mosquitto_pub -l` match reality - blank + lines are sent as empty messages. + * Free memory in `mosquitto_sub` when quiting without having made + a successful connection. +- Drop patch: + * mosquitto-fix-pkgconf-path.patch (fixed upstream) + +------------------------------------------------------------------- +Wed Sep 25 20:42:16 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 1.6.7 + Broker: + * Add workaround for working with libwebsockets 3.2.0. + * Fix potential crash when reloading config. + Client library: + * Don't use `/` in autogenerated client ids, to avoid confusing + with topics. + * Fix `mosquitto_max_inflight_messages_set()` and + `mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...)` behaviour. + * Fix regression on use of `mosquitto_connect_async()` not working. + Clients: + * mosquitto_sub: Fix `-E` incorrectly not working unless `-d` was + also specified. + * Updated documentation around automatic client ids. + +------------------------------------------------------------------- +Sat Sep 21 14:38:08 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 1.6.5 + Fix CVE-2019-11779: + * In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT + client sends a SUBSCRIBE packet containing a topic that consists + of approximately 65400 or more '/' characters, i.e. the topic + hierarchy separator, then a stack overflow will occur. + Broker: + * Fix v5 DISCONNECT packets with remaining length == 2 being + treated as a protocol error. + * Fix support for libwebsockets 3.x. + * Fix slow websockets performance when sending large messages. + * Fix clients authorised using `use_identity_as_username` or + `use_subject_as_username` being disconnected on SIGHUP. + * Improve error messages in some situations when clients disconnect. + Reduces the number of "Socket error on client X, disconnecting" + messages. + * Fix Will for v5 clients not being sent if will delay interval was + greater than the session expiry interval. + * Fix CRL file not being reloaded on HUP. + Client library: + * Fix reconnect backoff for the situation where connections are + dropped rather than refused. + * Fix missing locks on `mosq->state`. + +- Update to version 1.6.4 + Fix CVE-2019-11778: + * If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 + to 1.6.4 inclusive, sets a last will and testament, sets a will + delay interval, sets a session expiry interval, and the will delay + interval is set longer than the session expiry interval, then a + use after free error occurs, which has the potential to cause a + crash in some situations. + Broker: + * Fix incoming QoS 2 messages being blocked when + `max_inflight_messages` was set to 1. + * Fix incoming messages not being removed for a client if the topic + being published to does not have any subscribers. + Client library: + * Fix MQTT v5 subscription options being incorrectly set for + MQTT v3 subscriptions. + * Make behaviour of `mosquitto_connect_async()` consistent with + `mosquitto_connect()` when connecting to a non-existent server. + * `mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, ...)` was + incorrectly returning `MOSQ_ERR_INVAL` with valid input. This has + been fixed. + * on_connect callback is now called with the correct v5 reason code + if a v5 client connects to a v3.x broker and is sent a CONNACK with + the "unacceptable protocol version" connack reason code. + * Fix memory leak when setting v5 properties in mosquitto_connect_v5(). + * Fix properties not being sent on QoS>0 PUBLISH messages. + Clients: + * mosquitto_pub: fix error codes not being returned when + mosquitto_pub exits. + * All clients: improve error messages when connecting to a v3.x broker + when in v5 mode. + Other: + - Various documentation fixes. + +- Update to version 1.6.3 + Broker: + * Fix detection of incoming v3.1/v3.1.1 bridges. + * Fix default max_topic_alias listener config not being copied to + the in-use listener when compiled without TLS support. + * Fix random number generation if compiling using `WITH_TLS=no` and + on Linux with glibc >= 2.25. Without this fix, no random numbers + would be generated for e.g. on broker client id generation, and so + clients connecting expecting this feature would be unable to connect. + * Fix compilation problem related to `getrandom()` on non-glibc systems. + * Fix Will message for a persistent client incorrectly being sent when the + client reconnects after a clean disconnect. + - Fix Will message for a persistent client not being sent on disconnect. + * Improve documentation around the upgrading of persistence files. + * Add 'extern "C"' on mosquitto_broker.h and mosquitto_plugin.h for + C++ plugin writing. + * Fix persistent Websockets clients not receiving messages after they + reconnect, having sent DISCONNECT on a previous session + * Disable TLS renegotiation. Client initiated renegotiation is considered to + be a potential attack vector against servers. + * Fix incorrect shared subscription topic '$shared'. + * Fix zero length client ids being rejected for MQTT v5 clients with clean + start set to true. + * Fix MQTT v5 overlapping subscription behaviour. Clients now receive message + from all matching subscriptions rather than the first one encountered, which + ensures the maximum QoS requirement is met. + * Fix incoming/outgoing quota problems for QoS>0. + * Remove obsolete `store_clean_interval` from documentation. + * Fix v4 authentication plugin never calling psk_key_get. + Clients: + * Fix -L url parsing when `/topic` part is missing. + * Stop some error messages being printed even when `--quiet` was used. + * Fix mosquitto_pub exiting with error code 0 when an error occurred. + * Fix mosquitto_pub not using the `-c` option. + * Fix MQTT v5 clients not being able to specify a password without a + username. + * Fix `mosquitto_pub -l` not handling network failures. + * Fix `mosquitto_pub -l` not handling zero length input. + * Fix double free on exit in mosquitto_pub. + +- Update to version 1.6.2 + Broker: + * Fix memory access after free, leading to possible crash, when v5 + client with Will message disconnects, where the Will message has + as its first property one of `content-type`, `correlation-data`, + `payload-format-indicator`, or `response-topic`. + * Fix Will message not allowing user-property properties. + * Fix broker originated messages (e.g. $SYS/broker/version) not being + published when `check_retain_source` set to true. + * Fix $SYS/broker/version being incorrectly expired after 60 seconds. + Library: + * Fix crash after client has been unable to connect to a broker. This + occurs when the client is exiting and is part of the final library + cleanup routine. + Clients: + - Fix -L url parsing. + +- Update to version 1.6.1 + Broker: + * Document `memory_limit` option. + Clients: + * Fix compilation on non glibc systems due to missing sys/time.h + header. + +- Add patch: + * mosquitto-fix-pkgconf-path.patch + +------------------------------------------------------------------- +Thu Jul 11 05:41:41 UTC 2019 - Antoine Belvire <[email protected]> + +- Remove SuSEfirewall2 service since SuSEfirewall2 has been + replaced by firewalld (which already provides a mqtt service). + +------------------------------------------------------------------- +Thu Apr 18 08:47:30 UTC 2019 - Martin Hauke <[email protected]> ++++ 77 more lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/mosquitto/mosquitto.changes ++++ and /work/SRC/openSUSE:Leap:15.2/.mosquitto.new.26092/mosquitto.changes Old: ---- mosquitto-1.5.7.tar.gz mosquitto-1.5.7.tar.gz.sig mosquitto-1.5.x-cve-2019-11779.patch mosquitto.fw New: ---- mosquitto-1.6.8.tar.gz mosquitto-1.6.8.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mosquitto.spec ++++++ --- /var/tmp/diff_new_pack.HUYmgz/_old 2020-01-17 12:01:44.380511961 +0100 +++ /var/tmp/diff_new_pack.HUYmgz/_new 2020-01-17 12:01:44.384511962 +0100 @@ -16,7 +16,6 @@ # -%define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define home %{_localstatedir}/lib/%{name} %define c_lib libmosquitto1 %define cpp_lib libmosquittopp1 @@ -27,7 +26,7 @@ %endif %bcond_without websockets Name: mosquitto -Version: 1.5.7 +Version: 1.6.8 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0 @@ -37,16 +36,14 @@ Source98: https://mosquitto.org/files/source/mosquitto-%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.sig Source99: %{name}.keyring Source1: mosquitto.service -Source2: mosquitto.fw Source4: README-conf-d Source5: README-ca_certificates Source6: README-certs Patch0: mosquitto-1.4.1_apparmor.patch -Patch1: https://mosquitto.org/files/cve/2019-11779/mosquitto-1.5.x-cve-2019-11779.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libcares-devel -BuildRequires: libuuid-devel +#BuildRequires: libuuid-devel BuildRequires: openssl-devel >= 1.0.0 BuildRequires: tcpd-devel Requires(pre): shadow @@ -124,11 +121,11 @@ %prep %setup -q %patch0 -p1 -%patch1 -p1 find misc -type f -exec chmod a-x "{}" "+" %build %cmake \ + -DCMAKE_INSTALL_SYSCONFDIR=/etc \ %if %{with websockets} -DWITH_WEBSOCKETS=ON \ %endif @@ -145,7 +142,6 @@ install -Dd -m 0750 %{buildroot}%{home} chmod -R o= %{buildroot}%{_sysconfdir}/%{name}/ %if 0%{?suse_version} -install -D -m 644 %{SOURCE2} %{buildroot}%{_fwdefdir}/mosquitto install -D -m 644 security/mosquitto.apparmor %{buildroot}%{_sysconfdir}/apparmor.d/usr.sbin.mosquitto install -D -m 755 -d %{buildroot}%{_sysconfdir}/apparmor.d/local/ echo "# Site-specific additions and overrides for 'usr.sbin.mosquitto'" > %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.sbin.mosquitto @@ -218,7 +214,6 @@ %dir %{_sysconfdir}/apparmor.d/local/ %config %{_sysconfdir}/apparmor.d/usr.sbin.mosquitto %config(noreplace) %{_sysconfdir}/apparmor.d/local/usr.sbin.mosquitto -%config(noreplace) %{_fwdefdir}/mosquitto %endif %files clients @@ -227,8 +222,10 @@ %doc edl-v10 epl-v10 %{_bindir}/mosquitto_pub %{_bindir}/mosquitto_sub +%{_bindir}/mosquitto_rr %{_mandir}/man1/mosquitto_pub.1%{ext_man} %{_mandir}/man1/mosquitto_sub.1%{ext_man} +%{_mandir}/man1/mosquitto_rr.1%{ext_man} %files -n %{c_lib} %defattr(-,root,root) ++++++ mosquitto-1.5.7.tar.gz -> mosquitto-1.6.8.tar.gz ++++++ ++++ 63034 lines of diff (skipped)
