diff --git a/www/pages/download.md b/www/pages/download.md index 1adf994f..51c1b90c 100644 --- a/www/pages/download.md +++ b/www/pages/download.md @@ -11,8 +11,8 @@ # Source -* [mosquitto-1.5.2.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.2.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.1.tar.gz.asc)) -* [mosquitto-1.5.2.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.2.tar.gz) (via Eclipse) +* [mosquitto-1.5.3.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz.asc)) +* [mosquitto-1.5.3.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.3.tar.gz) (via Eclipse) * [Git source code repository](https://github.com/eclipse/mosquitto) (github.com) Older downloads are available at [http://mosquitto.org/files/](../files/) @@ -25,10 +25,8 @@ distributions. ## Windows -* [mosquitto-1.5.2-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.2-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017) -* [mosquitto-1.5.2-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.2-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017) - -You will also need to install Win64 OpenSSL v1.1.0 Light or Win32OpenSSL v1.1.0 Light from [slproweb.com](http://slproweb.com/products/Win32OpenSSL.html) +* [mosquitto-1.5.3-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.3-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017) +* [mosquitto-1.5.3-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.3-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017) See also readme-windows.txt after installing. diff --git a/www/pages/security.md b/www/pages/security.md index 466c7a52..c31eb300 100644 --- a/www/pages/security.md +++ b/www/pages/security.md @@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it. Listed with most recent first. Further information on security related issues can be found in the [security category]. +* September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2** + inclusive, fixed in **1.5.3**. * April 2018: [CVE-2017-7655] affecting versions **1.0** to **1.4.15** inclusive, fixed in **1.5**. * April 2018: [CVE-2017-7654] affecting versions **1.0** to **1.4.15** @@ -40,6 +42,7 @@ can be found in the [security category]. [security-advisory-cve-2017-7650]. +[security-advisory-cve-2018-12543]: /2018/09/security-advisory-cve-2018-12543/ [security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ [security-advisory-cve-2017-7650]: /2017/05/security-advisory-cve-2017-7650/ [security-advisory-cve-2017-9868]: /2017/06/security-advisory-cve-2017-9868/ @@ -47,6 +50,7 @@ can be found in the [security category]. [Eclipse Security]: https://www.eclipse.org/security/ [security category]: /blog/categories/security/ +[CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543 [CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868 [CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652 [CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652 diff --git a/www/posts/2018/09/security-advisory-cve-2018-12543.md b/www/posts/2018/09/security-advisory-cve-2018-12543.md new file mode 100644 index 00000000..0e33b4ef --- /dev/null +++ b/www/posts/2018/09/security-advisory-cve-2018-12543.md @@ -0,0 +1,59 @@ + + +Mosquitto 1.5.3 has been released to address a security vulnerability. It also +includes other bug fixes. + +# CVE-2018-12543 + +A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as +[CVE-2018-12543]. + +If a message received by the broker has a topic that begins with `$`, but that +does not begin `$SYS`, an assert is triggered that should otherwise not be +accessible, causing Mosquitto to exit. + +The issue is fixed in Mosquitto 1.5.3. Patches for older versions are +available at + +The fix addresses the problem by reverting a commit that intended to remove +some unused checks, but also stopped part of the topic hierarchy being created. + +# Version 1.5.3 Changes + +The complete list of fixes addressed in version 1.5.3 is: + +## Security + +* Fix [CVE-2018-12543]. If a message is sent to Mosquitto with a topic that + begins with `$`, but is not `$SYS`, then an assert that should be unreachable + is triggered and Mosquitto will exit. + +## Broker +* Elevate log level to warning for situation when socket limit is hit. +* Remove requirement to use `user root` in snap package config files. +* Fix retained messages not sent by bridges on outgoing topics at the first + connection. Closes [#701]. +* Documentation fixes. Closes [#520], [#600]. +* Fix duplicate clients being added to by_id hash before the old client was + removed. Closes [#645]. +* Fix Windows version not starting if `include_dir` did not contain any files. + Closes [#566]. + +## Build +* Various fixes to ease building. + +[CVE-2018-12543]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543 +[#520]: https://github.com/eclipse/mosquitto/issues/520 +[#566]: https://github.com/eclipse/mosquitto/issues/566 +[#600]: https://github.com/eclipse/mosquitto/issues/600 +[#645]: https://github.com/eclipse/mosquitto/issues/645 +[#701]: https://github.com/eclipse/mosquitto/issues/701