97 lines
4.6 KiB
Markdown
97 lines
4.6 KiB
Markdown
|
<!--
|
||
|
.. title: Version 2.0.12 released.
|
||
|
.. slug: version-2-0-12-released
|
||
|
.. date: 2021-08-31 17:16:38 UTC+1
|
||
|
.. tags: Releases
|
||
|
.. category:
|
||
|
.. link:
|
||
|
.. description:
|
||
|
.. type: text
|
||
|
-->
|
||
|
|
||
|
Versions 2.0.12 of Mosquitto has been released. This is a security
|
||
|
and bugfix release.
|
||
|
|
||
|
# Security
|
||
|
- An MQTT v5 client connecting with a large number of user-property properties
|
||
|
could cause excessive CPU usage, leading to a loss of performance and
|
||
|
possible denial of service. This has been fixed.
|
||
|
- Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1 connections.
|
||
|
These clients are now rejected if their keepalive value exceeds
|
||
|
max_keepalive. This option allows [CVE-2020-13849], which is for the MQTT
|
||
|
v3.1.1 protocol itself rather than an implementation, to be addressed.
|
||
|
- Using certain listener related configuration options e.g. `cafile`, that
|
||
|
apply to the default listener without defining any listener would cause a
|
||
|
remotely accessible listener to be opened that was not confined to the local
|
||
|
machine but did have anonymous access enabled, contrary to the
|
||
|
documentation. This has been fixed. Closes [#2283].
|
||
|
- [CVE-2021-34434]: If a plugin had granted ACL subscription access to a
|
||
|
durable/non-clean-session client, then removed that access, the client would
|
||
|
keep its existing subscription. This has been fixed.
|
||
|
- Incoming QoS 2 messages that had not completed the QoS flow were not being
|
||
|
checked for ACL access when a clean session=False client was reconnecting.
|
||
|
This has been fixed.
|
||
|
|
||
|
# Broker
|
||
|
- Fix possible out of bounds memory reads when reading a corrupt/crafted
|
||
|
configuration file. Unless your configuration file is writable by untrusted
|
||
|
users this is not a risk. Closes [#567213].
|
||
|
- Fix `max_connections` option not being correctly counted.
|
||
|
- Fix TLS certificates and TLS-PSK not being able to be configured at the same
|
||
|
time.
|
||
|
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
|
||
|
- Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1 connections.
|
||
|
These clients are now rejected if their keepalive value exceeds
|
||
|
`max_keepalive`. This option allows CVE-2020-13849, which is for the MQTT
|
||
|
v3.1.1 protocol itself rather than an implementation, to be addressed.
|
||
|
- Fix broker not quiting if e.g. the `password_file` is specified as a
|
||
|
directory. Closes [#2241].
|
||
|
- Fix listener `mount_point` not being removed on outgoing messages.
|
||
|
Closes [#2244].
|
||
|
- Strict protocol compliance fixes, plus test suite.
|
||
|
- Fix $share subscriptions not being recovered for durable clients that
|
||
|
reconnect.
|
||
|
- Update plugin configuration documentation. Closes [#2286].
|
||
|
|
||
|
# Client library
|
||
|
- If a client uses TLS-PSK then force the default cipher list to use "PSK"
|
||
|
ciphers only. This means that a client connecting to a broker configured
|
||
|
with x509 certificates only will now fail. Prior to this, the client would
|
||
|
connect successfully without verifying certificates, because they were not
|
||
|
configured.
|
||
|
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
|
||
|
- Threaded mode is deconfigured when the `mosquitto_loop_start()` thread ends,
|
||
|
which allows `mosquitto_loop_start()` to be called again. Closes [#2242].
|
||
|
- Fix `MOSQ_OPT_SSL_CTX` not being able to be set to NULL. Closes [#2289].
|
||
|
- Fix reconnecting failing when `MOSQ_OPT_TLS_USE_OS_CERTS` was in use, but none
|
||
|
of `capath`, `cafile`, `psk`, nor `MOSQ_OPT_SSL_CTX` were set, and
|
||
|
`MOSQ_OPT_SSL_CTX_WITH_DEFAULTS` was set to the default value of true.
|
||
|
Closes [#2288].
|
||
|
|
||
|
# Apps
|
||
|
- Fix `mosquitto_ctrl dynsec setDefaultACLAccess` command not working.
|
||
|
|
||
|
# Clients
|
||
|
- `mosquitto_sub` and `mosquitto_rr` now open stdout in binary mode on Windows
|
||
|
so binary payloads are not modified when printing.
|
||
|
- Document TLS certificate behaviour when using `-p 8883`.
|
||
|
|
||
|
# Build
|
||
|
- Fix installation using `WITH_TLS=no`. Closes [#2281].
|
||
|
- Fix builds with libressl 3.4.0. Closes [#2198].
|
||
|
- Remove some unnecessary code guards related to libressl.
|
||
|
- Fix printf format build warning on MIPS. Closes [#2271].
|
||
|
|
||
|
[#2198]: https://github.com/eclipse/mosquitto/issues/2198
|
||
|
[#2241]: https://github.com/eclipse/mosquitto/issues/2241
|
||
|
[#2242]: https://github.com/eclipse/mosquitto/issues/2242
|
||
|
[#2244]: https://github.com/eclipse/mosquitto/issues/2244
|
||
|
[#2271]: https://github.com/eclipse/mosquitto/issues/2271
|
||
|
[#2281]: https://github.com/eclipse/mosquitto/issues/2281
|
||
|
[#2286]: https://github.com/eclipse/mosquitto/issues/2286
|
||
|
[#2288]: https://github.com/eclipse/mosquitto/issues/2288
|
||
|
[#2289]: https://github.com/eclipse/mosquitto/issues/2289
|
||
|
[#567213]: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567213
|
||
|
[CVE-2020-13849]: https://nvd.nist.gov/vuln/detail/CVE-2020-13849
|
||
|
[CVE-2021-34434]: https://nvd.nist.gov/vuln/detail/CVE-2021-34434
|