33 lines
945 B
Markdown
33 lines
945 B
Markdown
|
<!--
|
||
|
.. title: Security advisory: CVE-2017-9868
|
||
|
.. slug: security-advisory-cve-2017-9868
|
||
|
.. date: 2017-06-26 11:45:51
|
||
|
.. tags: Security
|
||
|
.. category:
|
||
|
.. link:
|
||
|
.. description:
|
||
|
.. type: text
|
||
|
-->
|
||
|
|
||
|
A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as
|
||
|
[CVE-2017-9868].
|
||
|
|
||
|
If persistence is enabled, then the persistence file is created world readable,
|
||
|
which has the potential to make sensitive information available to any local
|
||
|
user.
|
||
|
|
||
|
Patches are available to fix this for Unix like operating systems (i.e. not
|
||
|
Windows): <https://mosquitto.org/files/cve/2017-9868/>
|
||
|
|
||
|
This will be fixed in version 1.4.13, due to be released shortly.
|
||
|
|
||
|
This can also be fixed administratively by removing world read permissions for
|
||
|
the directory that the persistence file is stored in. In many systems this can
|
||
|
be achieved with:
|
||
|
|
||
|
```
|
||
|
chmod 700 /var/lib/mosquitto
|
||
|
```
|
||
|
|
||
|
[CVE-2017-9868]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
|