mosquitto/www/pages/security.md

<!--
.. title: Security
.. slug: security
.. date: 2021-04-03 11:55:50 UTC+1
.. tags:
.. category:
.. link:
.. description:
.. type: text
-->

# Reporting security vulnerabilities

If you think you have found a security vulnerability in Mosquitto, please
follow the steps on [Eclipse Security] page to report it.

# Past vulnerabilities

Listed with most recent first. Further information on security related issues
can be found in the [security category].

* June 2023: [CVE-2023-28366]: Clients sending unacknowledged QoS 2 messages
  with duplicate message ids cause a memory leak. Affecting versions **1.3.2**
  to **2.0.15** inclusive, fixed in **2.0.16**.
* August 2022: Deleting the anonymous group in the dynamic security plugin
  could lead to a crash. Affecting versions **2.0.0** to **2.0.14** inclusive,
  fixed in **2.0.15**.
* August 2021: [CVE-2021-34434] Affecting versions **2.0.0** to **2.0.11**
  inclusive, fixed in **2.0.12**.
* April 2021: [CVE-2021-28166] Affecting versions **2.0.0** to **2.0.9**
  inclusive, fixed in **2.0.10**.
* December 2020: Running mosquitto_passwd with the following arguments only
  `mosquitto_passwd -b password_file username password` would cause the
  username to be used as the password. Affecting versions **2.0.0** to
  **2.0.2** inclusive, fixed in **2.0.3**.
* September 2019: [CVE-2019-11779]. Affecting versions **1.5** to **1.6.5**
  inclusive, fixed in **1.6.6** and **1.5.9**. More details at [version-166-released].
* September 2019: [CVE-2019-11778]. Affecting versions **1.6** to **1.6.4**
  inclusive, fixed in **1.6.5**. More details at [version-166-released].
* April 2019: No CVE assigned. Affecting versions **1.6** and **1.6.1**,
  fixed in **1.6.2**. More details at [version-162-released].
* December 2018: [CVE-2018-20145]. Affecting versions **1.5** to **1.5.4**
  inclusive, fixed in **1.5.5.**. More details at [version-155-released].
* November 2018: No CVE assigned. Affecting versions **1.4** to **1.5.3**
  inclusive, fixed in **1.5.4**. More details at [version-154-released].
* September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2**
  inclusive, fixed in **1.5.3**.
* April 2018: [CVE-2017-7655] affecting versions **1.0** to **1.4.15**
  inclusive, fixed in **1.5**.
* April 2018: [CVE-2017-7654] affecting versions **1.0** to **1.4.15**
  inclusive, fixed in **1.5**.
  [security-advisory-cve-2017-7653-cve-2017-7654].
* April 2018: [CVE-2017-7653] affecting versions **1.0** to **1.4.15**
  inclusive, fixed in **1.5**.
* February 2018: [CVE-2017-7651] affecting versions **0.15** to **1.4.14**
  inclusive, fixed in **1.4.15**. More details at
  [security-advisory-cve-2017-7651-cve-2017-7652].
* February 2018: [CVE-2017-7652] affecting versions **1.0** to **1.4.14**
  inclusive, fixed in **1.4.15**. More details at
  [security-advisory-cve-2017-7651-cve-2017-7652].
* June 2017: [CVE-2017-9868] affecting versions **0.15** to **1.4.12**
  inclusive, fixed in **1.4.13**. More details at
  [security-advisory-cve-2017-9868].
* May 2017: [CVE-2017-7650] affecting versions **0.15** to **1.4.11**
  inclusive, fixed in **1.4.12**. More details at
  [security-advisory-cve-2017-7650].

[version-166-released]: /blog/2019/09/version-1-6-6-released/
[version-162-released]: /blog/2019/04/version-1-6-2-released/
[version-155-released]: /blog/2018/11/version-155-released/
[version-154-released]: /blog/2018/11/version-154-released/
[security-advisory-cve-2018-12543]: /blog/2018/09/security-advisory-cve-2018-12543/
[security-advisory-cve-2017-7651-cve-2017-7652]: /blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
[security-advisory-cve-2017-7650]: /blog/2017/05/security-advisory-cve-2017-7650/
[security-advisory-cve-2017-9868]: /blog/2017/06/security-advisory-cve-2017-9868/

[Eclipse Security]: https://www.eclipse.org/security/
[security category]: /blog/categories/security/

[CVE-2021-34434]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434
[CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166
[CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779
[CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778
[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145
[CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
[CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
[CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7655
[CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654
[CVE-2017-7653]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653
[CVE-2017-7652]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
[CVE-2017-7651]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651
[CVE-2017-7650]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7650
Add website. 2018-08-08 21:43:14 +00:00			`<!--`
			`.. title: Security`
			`.. slug: security`
Bump version, update web page. 2021-04-03 11:00:33 +00:00			`.. date: 2021-04-03 11:55:50 UTC+1`
Add website. 2018-08-08 21:43:14 +00:00			`.. tags:`
			`.. category:`
			`.. link:`
			`.. description:`
			`.. type: text`
			`-->`

			`# Reporting security vulnerabilities`

			`If you think you have found a security vulnerability in Mosquitto, please`
			`follow the steps on [Eclipse Security] page to report it.`

			`# Past vulnerabilities`

			`Listed with most recent first. Further information on security related issues`
			`can be found in the [security category].`

Fix for CVE-2023-28366 2023-06-13 10:22:03 +00:00			`* June 2023: [CVE-2023-28366]: Clients sending unacknowledged QoS 2 messages`
			`with duplicate message ids cause a memory leak. Affecting versions 1.3.2`
			`to 2.0.15 inclusive, fixed in 2.0.16.`
Update security page 2022-08-16 15:00:12 +00:00			`* August 2022: Deleting the anonymous group in the dynamic security plugin`
			`could lead to a crash. Affecting versions 2.0.0 to 2.0.14 inclusive,`
			`fixed in 2.0.15.`
CVE-2021-34434 details. 2021-08-30 21:06:32 +00:00			`* August 2021: [CVE-2021-34434] Affecting versions 2.0.0 to 2.0.11`
			`inclusive, fixed in 2.0.12.`
Update CVE information. 2021-04-10 07:28:41 +00:00			`* April 2021: [CVE-2021-28166] Affecting versions 2.0.0 to 2.0.9`
Bump version, update web page. 2021-04-03 11:00:33 +00:00			`inclusive, fixed in 2.0.10.`
Bump version, changelog and webpage. 2020-12-17 14:28:23 +00:00			`* December 2020: Running mosquitto_passwd with the following arguments only`
			`mosquitto_passwd -b password_file username password` would cause the
			`username to be used as the password. Affecting versions 2.0.0 to`
			`2.0.2 inclusive, fixed in 2.0.3.`
Update security page. 2019-09-18 16:23:30 +00:00			`* September 2019: [CVE-2019-11779]. Affecting versions 1.5 to 1.6.5`
			`inclusive, fixed in 1.6.6 and 1.5.9. More details at [version-166-released].`
			`* September 2019: [CVE-2019-11778]. Affecting versions 1.6 to 1.6.4`
			`inclusive, fixed in 1.6.5. More details at [version-166-released].`
Bump version numbers, update webpage. 2019-04-30 13:35:37 +00:00			`* April 2019: No CVE assigned. Affecting versions 1.6 and 1.6.1,`
			`fixed in 1.6.2. More details at [version-162-released].`
Update details of CVE-2018-20145. 2018-12-20 18:45:01 +00:00			`* December 2018: [CVE-2018-20145]. Affecting versions 1.5 to 1.5.4`
Website update for 1.5.5. 2018-12-11 16:07:18 +00:00			`inclusive, fixed in 1.5.5.. More details at [version-155-released].`
Update website for 1.5.4. 2018-11-08 17:14:43 +00:00			`* November 2018: No CVE assigned. Affecting versions 1.4 to 1.5.3`
			`inclusive, fixed in 1.5.4. More details at [version-154-released].`
Add website post and update downloads/security. 2018-09-27 09:48:03 +00:00			`* September 2018: [CVE-2018-12543] affecting versions 1.5 to 1.5.2`
			`inclusive, fixed in 1.5.3.`
Add fixed CVE information. 2018-09-20 14:25:28 +00:00			`* April 2018: [CVE-2017-7655] affecting versions 1.0 to 1.4.15`
			`inclusive, fixed in 1.5.`
			`* April 2018: [CVE-2017-7654] affecting versions 1.0 to 1.4.15`
			`inclusive, fixed in 1.5.`
			`[security-advisory-cve-2017-7653-cve-2017-7654].`
			`* April 2018: [CVE-2017-7653] affecting versions 1.0 to 1.4.15`
			`inclusive, fixed in 1.5.`
Add website. 2018-08-08 21:43:14 +00:00			`* February 2018: [CVE-2017-7651] affecting versions 0.15 to 1.4.14`
			`inclusive, fixed in 1.4.15. More details at`
			`[security-advisory-cve-2017-7651-cve-2017-7652].`
			`* February 2018: [CVE-2017-7652] affecting versions 1.0 to 1.4.14`
			`inclusive, fixed in 1.4.15. More details at`
			`[security-advisory-cve-2017-7651-cve-2017-7652].`
			`* June 2017: [CVE-2017-9868] affecting versions 0.15 to 1.4.12`
			`inclusive, fixed in 1.4.13. More details at`
			`[security-advisory-cve-2017-9868].`
			`* May 2017: [CVE-2017-7650] affecting versions 0.15 to 1.4.11`
			`inclusive, fixed in 1.4.12. More details at`
			`[security-advisory-cve-2017-7650].`

Fix broken links on security.md Closes #2855. Thanks to cfi-gb 2023-08-15 16:22:13 +00:00			`[version-166-released]: /blog/2019/09/version-1-6-6-released/`
			`[version-162-released]: /blog/2019/04/version-1-6-2-released/`
			`[version-155-released]: /blog/2018/11/version-155-released/`
			`[version-154-released]: /blog/2018/11/version-154-released/`
			`[security-advisory-cve-2018-12543]: /blog/2018/09/security-advisory-cve-2018-12543/`
			`[security-advisory-cve-2017-7651-cve-2017-7652]: /blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/`
			`[security-advisory-cve-2017-7650]: /blog/2017/05/security-advisory-cve-2017-7650/`
			`[security-advisory-cve-2017-9868]: /blog/2017/06/security-advisory-cve-2017-9868/`
Add fixed CVE information. 2018-09-20 14:25:28 +00:00
			`[Eclipse Security]: https://www.eclipse.org/security/`
Add website. 2018-08-08 21:43:14 +00:00			`[security category]: /blog/categories/security/`
Add fixed CVE information. 2018-09-20 14:25:28 +00:00
CVE-2021-34434 details. 2021-08-30 21:06:32 +00:00			`[CVE-2021-34434]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434`
Update CVE information. 2021-04-10 07:28:41 +00:00			`[CVE-2021-28166]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166`
Update security page. 2019-09-18 16:23:30 +00:00			`[CVE-2019-11779]: https://nvd.nist.gov/vuln/detail/CVE-2019-11779`
			`[CVE-2019-11778]: https://nvd.nist.gov/vuln/detail/CVE-2019-11778`
Update details of CVE-2018-20145. 2018-12-20 18:45:01 +00:00			`[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145`
Add website post and update downloads/security. 2018-09-27 09:48:03 +00:00			`[CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543`
Add fixed CVE information. 2018-09-20 14:25:28 +00:00			`[CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868`
Fix broken links on security.md Closes #2855. Thanks to cfi-gb 2023-08-15 16:22:13 +00:00			`[CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7655`
			`[CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654`
			`[CVE-2017-7653]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653`
Add fixed CVE information. 2018-09-20 14:25:28 +00:00			`[CVE-2017-7652]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652`
			`[CVE-2017-7651]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651`
			`[CVE-2017-7650]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7650`