The function ssl.wrap_socket() is deprecated starting Python 3.7 because
it does not support hostname matching (which is considered insecure). In
Python 3.10, the function now throws warnings at runtime, which makes
Ubuntu / Debian autopkgtest fail.
The function ssl.SSLContext.wrap_socket comes in as the replacement and
has support for SNI and hostname matching.
Replaced all uses of ssl.wrap_socket() by equivalent using
ssl.SSLContext.wrap_socket().
Signed-off-by: Olivier Gayot <olivier.gayot@canonical.com>
Incoming QoS 2 messages that had not completed the QoS flow were not being
checked for ACL access when a clean session=False client was reconnecting.
Closes#575314.
An MQTT v5 client connecting with a large number of user-property properties
could cause excessive CPU usage, leading to a loss of performance and
possible denial of service. This has been fixed.
If a plugin had granted ACL subscription access to a
durable/non-clean-session client, then removed that access, the client would
keep its existing subscription. This has been fixed.
CVE-xxxx-xxxx: If an authenticated client connected with MQTT v5 sent a
malformed CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault. This will be updated with the CVE
number when it is assigned.
Affects versions 2.0.0 to 2.0.9 inclusive.
Closes#2163. Thanks to Bryan Pearson.
The error topic-alias-invalid was being sent if an MQTT v5 client published
a message with empty topic and topic alias set, but the topic alias hadn't
already been configured on the broker. This has been fixed to send a
protocol error, as per section 3.3.4 of the specification.
Roger A. Light
Olivier Gayot
Xavier Dooms