Update for 1.6.6

6 years ago · 0c64f4406f
parent 8cfb3856c9
commit 0c64f4406f
3 changed files with 18 additions and 33 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,21 @@
+mosquitto (1.6.6-1) unstable; urgency=high
+
+  * SECURITY UPDATE: If an MQTT v5 client connects to Mosquitto, sets a last
+    will and testament, sets a will delay interval, sets a session expiry
+    interval, and the will delay interval is set longer than the session
+    expiry interval, then a use after free error occurs, which has the
+    potential to cause a crash in some situations.
+    - CVE awaiting assignment
+  * SECURITY UPDATE: If a malicious MQTT client sends a SUBSCRIBE packet
+    containing a topic that consists of approximately 65400 or more '/'
+    characters, i.e. the topic hierarchy separator, then a stack overflow will
+    occur.
+    - CVE awaiting assignment
+  * New upstream release.
+  * Remove bug-1367.patch.
+
+ -- Roger A. Light <roger@atchoo.org>  Tue, 17 Sep 2019 18:41:36 +0100
+
 mosquitto (1.6.4-1) unstable; urgency=medium

  * New upstream release.
--- a/debian/patches/bug-1367.patch
+++ b/debian/patches/bug-1367.patch
@ -1,32 +0,0 @@
-Description: Fix for v5 DISCONNECT packets with remaining length=2
-Author: Roger Light <roger@atchoo.org>
-Forwarded: not-needed
--- a/src/handle_disconnect.c
-+++ b/src/handle_disconnect.c
-@@ -34,12 +34,12 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
- 		return MOSQ_ERR_INVAL;
- 	}
- 
-	if(context->protocol == mosq_p_mqtt5 && context->in_packet.remaining_length > 1){
-+	if(context->protocol == mosq_p_mqtt5 && context->in_packet.remaining_length > 0){
- 		/* FIXME - must handle reason code */
- 		rc = packet__read_byte(&context->in_packet, &reason_code);
- 		if(rc) return rc;
- 
-		if(context->in_packet.remaining_length > 2){
-+		if(context->in_packet.remaining_length > 1){
- 			rc = property__read_all(CMD_DISCONNECT, &context->in_packet, &properties);
- 			if(rc) return rc;
- 		}
-@@ -54,7 +54,7 @@ int handle__disconnect(struct mosquitto_db *db, struct mosquitto *context)
- 	}
- 	mosquitto_property_free_all(&properties); /* FIXME - TEMPORARY UNTIL PROPERTIES PROCESSED */
- 
-	if(context->in_packet.remaining_length != 0){
-+	if(context->in_packet.pos != context->in_packet.remaining_length){
- 		return MOSQ_ERR_PROTOCOL;
- 	}
- 	log__printf(NULL, MOSQ_LOG_DEBUG, "Received DISCONNECT from %s", context->id);
-- 
-2.17.1
-
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,3 +1,2 @@
 914525.patch
 debian-config.patch
-bug-1367.patch