Eclipse Mosquitto™ 1.4.12

Notice: Some of the services that support the smooth operation of our websites are still in the process of being restored. As a result, certain features—such as images and committer paperwork—may be temporarily unavailable. Our team is actively working to resolve these issues and restore full functionality as soon as possible.

Thank you for your patience and understanding.

Security

Fix CVE-2017-7650, which allows clients with username or client id set to '#' or '+' to bypass pattern based ACLs or third party plugins. The fix denies message sending or receiving of messages for clients with a '#' or '+' in their username or client id and if the message is subject to a pattern ACL check or plugin check.

Patches for other versions are available at http://mosquitto.org/files/cve/2017-7650/

Broker

Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
Fix bridge not restarting properly. Closes #428.
Fix unitialized memory in gets_quiet on Windows. Closes #426.
Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
Fixes to readme.md.
Fix deprecation warning for OpenSSL 1.1. PR #416.
Don't segfault on duplicate bridge names. Closes #446.
Fix CVE-2017-7650.

Release Date

Monday, May 29, 2017 - 12:00

Release Type

Service release (bug fixes only)

Back to the top