[Bug 1692818] Re: Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Launchpad Bug Tracker Wed, 31 May 2017 01:02:40 -0700

This bug was fixed in the package mosquitto - 0.15-2ubuntu1.1

---------------
mosquitto (0.15-2ubuntu1.1) trusty-security; urgency=low


  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#' (LP: #1692818).
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- [email protected] (Roger A. Light)  Tue, 23 May 2017 22:14:40 +0100

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1692818

Title:
  Mosquitto pattern ACLs can be circumvented with special client ids or
  usernames

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1692818/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1692818] Re: Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Reply via email to