https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt 1.5.6 - 20190206 ================ Security: CVE-2018-12551: If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. CVE-2018-12550: If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. CVE-2018-12546. If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option `check_retain_source` has been introduced to enforce checking of the retained message source on publish.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65f830a1752ce2004a7a9342964f3894a0d5f047 commit 65f830a1752ce2004a7a9342964f3894a0d5f047 Author: Lucas Ramage <ramage.lucas@protonmail.com> AuthorDate: 2019-02-15 23:05:10 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2019-02-16 22:29:14 +0000 app-misc/mosquitto: bump to version 1.5.6. Bug: https://bugs.gentoo.org/677638 Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Lucas Ramage <ramage.lucas@protonmail.com> Closes: https://github.com/gentoo/gentoo/pull/11060 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> app-misc/mosquitto/Manifest | 1 + app-misc/mosquitto/mosquitto-1.5.6.ebuild | 101 ++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
(In reply to Yury German from comment #2) > Maintainer(s), please advise if you are ready for stabilization or call for > stabilization yourself. @arches, please stabilize. Thank you!
Arches, please test and mark stable: =app-misc/mosquitto-1.5.6 Target Keywords : "amd64 arm x86" Thank you! Note: Rage, for the future it goes something like this for stabilization, if you do not have the rights to the other stuff, at least give us the info above, so we do not have to hunt for it.
amd64 stable
arm stable
x86 stable
tree is clean
