Update CVE details and bump version number.

2019-02-06 15:44:53 +00:00 · 2019-02-06 15:44:53 +00:00 · 1b5c900e77
commit 1b5c900e77
parent 05458eb35d
8 changed files with 11 additions and 11 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)

-set (VERSION 1.5.5)
+set (VERSION 1.5.6)

 add_definitions (-DCMAKE -DVERSION=\"${VERSION}\")

--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,8 +1,8 @@
-1.5.6 - 201901xx
+1.5.6 - 20190206
 ================

 Security:
- CVE-2018-xxxxx: If Mosquitto is configured to use a password file for
+- CVE-2018-12551: If Mosquitto is configured to use a password file for
  authentication, any malformed data in the password file will be treated as
  valid. This typically means that the malformed data becomes a username and no
  password. If this occurs, clients can circumvent authentication and get access
@ -11,13 +11,13 @@ Security:
  unaffected. Users who have only used the mosquitto_passwd utility to create
  and modify their password files are unaffected by this vulnerability.
  Affects version 1.0 to 1.5.5 inclusive.
- CVE-2018-xxxxx: If an ACL file is empty, or has only blank lines or
+- CVE-2018-12550: If an ACL file is empty, or has only blank lines or
  comments, then mosquitto treats the ACL file as not being defined, which
  means that no topic access is denied. Although denying access to all topics
  is not a useful configuration, this behaviour is unexpected and could lead
  to access being incorrectly granted in some circumstances. This is now
  fixed. Affects versions 1.0 to 1.5.5 inclusive.
- Fix CVE-2018-12546. If a client publishes a retained message to a topic that
+- CVE-2018-12546. If a client publishes a retained message to a topic that
  they have access to, and then their access to that topic is revoked, the
  retained message will still be delivered to future subscribers. This
  behaviour may be undesirable in some applications, so a configuration option
--- a/config.mk
+++ b/config.mk
@ -105,7 +105,7 @@ WITH_BUNDLED_DEPS:=yes

 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto64.nsi
-VERSION=1.5.5
+VERSION=1.5.6

 # Client library SO version. Bump if incompatible API/ABI changes are made.
 SOVERSION=1
--- a/installer/mosquitto.nsi
+++ b/installer/mosquitto.nsi
@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'

 Name "Eclipse Mosquitto"
-!define VERSION 1.5.5
+!define VERSION 1.5.6
 OutFile "mosquitto-${VERSION}-install-windows-x86.exe"

 InstallDir "$PROGRAMFILES\mosquitto"
--- a/installer/mosquitto64.nsi
+++ b/installer/mosquitto64.nsi
@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'

 Name "Eclipse Mosquitto"
-!define VERSION 1.5.5
+!define VERSION 1.5.6
 OutFile "mosquitto-${VERSION}-install-windows-x64.exe"

 !include "x64.nsh"
--- a/lib/mosquitto.h
+++ b/lib/mosquitto.h
@ -47,7 +47,7 @@ extern "C" {

 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 5
-#define LIBMOSQUITTO_REVISION 5
+#define LIBMOSQUITTO_REVISION 6
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)

--- a/set-version.sh
+++ b/set-version.sh
@ -2,7 +2,7 @@

 MAJOR=1
 MINOR=5
-REVISION=5
+REVISION=6

 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk

--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -1,5 +1,5 @@
 name: mosquitto
-version: 1.5.5
+version: 1.5.6
 summary: Eclipse Mosquitto MQTT broker
 description: This is a message broker that supports version 3.1 and 3.1.1 of the MQTT
    protocol.