[Bug 1692818] Re: Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Launchpad Bug Tracker Wed, 31 May 2017 01:02:35 -0700

This bug was fixed in the package mosquitto - 1.4.8-1ubuntu0.16.10.1

---------------
mosquitto (1.4.8-1ubuntu0.16.10.1) yakkety-security; urgency=low


  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- [email protected] (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100

** Changed in: mosquitto (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1692818

Title:
  Mosquitto pattern ACLs can be circumvented with special client ids or
  usernames

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1692818/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1692818] Re: Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Reply via email to