Bump version, update www and changelog.

CMakeLists.txt

@@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)
 
-set (VERSION 1.6.5)
+set (VERSION 1.6.6)
 
 add_definitions (-DCMAKE -DVERSION=\"${VERSION}\")
 

ChangeLog.txt

@@ -1,6 +1,10 @@
-1.6.6 - 20190915
+1.6.6 - 20190917
 ================
 
+Security:
+- Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
+  Closes #1412.
+
 Broker:
 - Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
   Closes #1412.

config.mk

@@ -104,7 +104,7 @@ WITH_COVERAGE:=no
 
 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto64.nsi
-VERSION=1.6.5
+VERSION=1.6.6
 
 # Client library SO version. Bump if incompatible API/ABI changes are made.
 SOVERSION=1

installer/mosquitto.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.6.5
+!define VERSION 1.6.6
 OutFile "mosquitto-${VERSION}-install-windows-x86.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

installer/mosquitto64.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.6.5
+!define VERSION 1.6.6
 OutFile "mosquitto-${VERSION}-install-windows-x64.exe"
 
 !include "x64.nsh"

lib/mosquitto.h

@@ -48,7 +48,7 @@ extern "C" {
 
 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 6
-#define LIBMOSQUITTO_REVISION 5
+#define LIBMOSQUITTO_REVISION 6
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)
 

set-version.sh

@@ -2,7 +2,7 @@
 
 MAJOR=1
 MINOR=6
-REVISION=5
+REVISION=6
 
 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk
 

snap/snapcraft.yaml

@@ -1,5 +1,5 @@
 name: mosquitto
-version: 1.6.5
+version: 1.6.6
 summary: Eclipse Mosquitto MQTT broker
 description: This is a message broker that supports version 3.1 and 3.1.1 of the MQTT
     protocol.

www/pages/download.md

@@ -1,7 +1,7 @@
 <!--
 .. title: Download
 .. slug: download
-.. date: 2019-09-12 15:12:00 UTC+1
+.. date: 2019-09-17 16:12:00 UTC+1
 .. tags: tag
 .. category: category
 .. link: link
@@ -11,7 +11,7 @@
 
 # Source
 
-* [mosquitto-1.6.5.tar.gz](https://mosquitto.org/files/source/mosquitto-1.6.5.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.6.5.tar.gz.asc))
+* [mosquitto-1.6.6.tar.gz](https://mosquitto.org/files/source/mosquitto-1.6.6.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.6.6.tar.gz.asc))
 * [Git source code repository](https://github.com/eclipse/mosquitto) (github.com)
 
 Older downloads are available at [https://mosquitto.org/files/](../files/)
@@ -24,8 +24,8 @@ distributions.
 
 ## Windows
 
-* [mosquitto-1.6.5-install-windows-x64.exe](https://mosquitto.org/files/binary/win64/mosquitto-1.6.5-install-windows-x64.exe) (~1.4 MB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
-* [mosquitto-1.6.5-install-windows-x32.exe](https://mosquitto.org/files/binary/win32/mosquitto-1.6.2-install-windows-x86.exe) (~1.4 MB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
+* [mosquitto-1.6.6-install-windows-x64.exe](https://mosquitto.org/files/binary/win64/mosquitto-1.6.6-install-windows-x64.exe) (~1.4 MB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
+* [mosquitto-1.6.6-install-windows-x32.exe](https://mosquitto.org/files/binary/win32/mosquitto-1.6.6-install-windows-x86.exe) (~1.4 MB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
 
 See also readme-windows.txt after installing.
 

www/posts/2019/09/version-1-6-5-released.md

@@ -1,6 +1,6 @@
 <!--
 .. title: Version 1.6.5 released
-.. slug: version-1-6-4-released
+.. slug: version-1-6-5-released
 .. date: 2019-09-12 15:00:00 UTC+1
 .. tags: Releases
 .. category:

www/posts/2019/09/version-1-6-6-released.md

@@ -0,0 +1,59 @@
+<!--
+.. title: Security advisory: CVE-2018-12543
+.. slug: security-advisory-cve-2018-12543
+.. date: 2018-09-27 10:36:19 UTC+01:00
+.. tags: Security,Releases
+.. category:
+.. link:
+.. description:
+.. type: text
+-->
+
+Mosquitto 1.6.6 and 1.5.9 have been released to address two security vulnerabilities.
+
+Titles and links will be updated once the CVE numbers are assigned.
+
+# CVE-xxxx-xxxxx
+
+A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive.
+
+If a client sends a SUBSCRIBE packet containing a topic that consists of
+approximately 65400 or more '/' characters, i.e. the topic hierarchy separator,
+then a stack overflow will occur.
+
+The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions are
+available at <https://mosquitto.org/files/cve/2019-hier>
+
+The fix addresses the problem by restricting the allowed number of topic
+hierarchy levels to 200. An alternative fix is to increase the size of the
+stack by a small amount.
+
+# CVE-yyyy-yyyyy
+
+A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive.
+
+If an MQTT v5 client connects to Mosquitto, sets a last will and testament,
+sets a will delay interval, sets a session expiry interval, and the will delay
+interval is set longer than the session expiry interval, then a use after free
+error occurs, which has the potential to cause a crash in some situations.
+
+The issue is fixed in Mosquitto 1.6.5. Patches for older versions are available
+at <https://mosquitto.org/files/cve/2019-will-delay>
+
+# Version 1.6.6 Changes
+
+The complete list of fixes addressed in version 1.6.6 is:
+
+## Security
+
+* Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
+  Closes [#1412].
+
+## Broker
+* Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
+  Closes [#1412].
+* `mosquitto_passwd` now returns 1 when attempting to update a user that does
+  not exist. Closes [#1414].
+
+[#1412]: https://github.com/eclipse/mosquitto/issues/1412
+[#1414]: https://github.com/eclipse/mosquitto/issues/1414