From 1ed275b1d4f49cdeca45bbcaa605e75fafa1b140 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Thu, 24 Aug 2023 01:16:51 +0100
Subject: [PATCH] Version 2.0.17 and below post

---
 www/posts/2023/08/version-2-0-16-released.md | 84 ++++++++++++++++++++
 www/posts/2023/08/version-2-0-17-released.md | 24 ++++++
 2 files changed, 108 insertions(+)
 create mode 100644 www/posts/2023/08/version-2-0-16-released.md
 create mode 100644 www/posts/2023/08/version-2-0-17-released.md

diff --git a/www/posts/2023/08/version-2-0-16-released.md b/www/posts/2023/08/version-2-0-16-released.md
new file mode 100644
index 00000000..4cf08a25
--- /dev/null
+++ b/www/posts/2023/08/version-2-0-16-released.md
@@ -0,0 +1,84 @@
+<!--
+.. title: Version 2.0.16 released.
+.. slug: version-2-0-16-released
+.. date: 2023-08-16 12:57:38 UTC+1
+.. tags: Releases
+.. category:
+.. link:
+.. description:
+.. type: text
+-->
+
+Version 2.0.16 of Mosquitto has been released. This is a security
+and bugfix release.
+
+# Security
+- [CVE-2023-28366]: Fix memory leak in broker when clients send multiple QoS 2
+  messages with the same message ID, but then never respond to the PUBREC
+  commands.
+- [CVE-2023-0809]: Fix excessive memory being allocated based on malicious
+  initial packets that are not CONNECT packets.
+- [CVE-2023-3592]: Fix memory leak when clients send v5 CONNECT packets with a
+  will message that contains invalid property types.
+- Broker will now reject Will messages that attempt to publish to $CONTROL/.
+- Broker now validates usernames provided in a TLS certificate or TLS-PSK
+  identity are valid UTF-8.
+- Fix potential crash when loading invalid persistence file.
+- Library will no longer allow single level wildcard certificates, e.g. *.com
+
+# Broker
+- Fix $SYS messages being expired after 60 seconds and hence unchanged values
+  disappearing.
+- Fix some retained topic memory not being cleared immediately after used.
+- Fix error handling related to the `bind_interface` option.
+- Fix std* files not being redirected when daemonising, when built with
+  assertions removed. Closes [#2708].
+- Fix default settings incorrectly allowing TLS v1.1. Closes [#2722].
+- Use line buffered mode for stdout. Closes #2354. Closes [#2749].
+- Fix bridges with non-matching cleansession/local_cleansession being expired
+  on start after restoring from persistence. Closes [#2634].
+- Fix connections being limited to 2048 on Windows. The limit is now 8192,
+  where supported. Closes [#2732].
+- Broker will log warnings if sensitive files are world readable/writable, or
+  if the owner/group is not the same as the user/group the broker is running
+  as. In future versions the broker will refuse to open these files.
+- mosquitto_memcmp_const is now more constant time.
+- Only register with DLT if DLT logging is enabled.
+- Fix any possible case where a json string might be incorrectly loaded. This
+  could have caused a crash if a textname or textdescription field of a role was
+  not a string, when loading the dynsec config from file only.
+- Dynsec plugin will not allow duplicate clients/groups/roles when loading
+  config from file, which matches the behaviour for when creating them.
+- Fix heap overflow when reading corrupt config with "log_dest file".
+
+# Client library
+- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
+  problem of the client OS sleeping and the client hence not being able to
+  calculate the actual time for keepalive purposes. Closes [#2760].
+- Fix default settings incorrectly allowing TLS v1.1. Closes [#2722].
+- Fix high CPU use on slow TLS connect. Closes [#2794].
+
+# Clients
+- Fix incorrect topic-alias property value in mosquitto_sub json output.
+- Fix confusing message on TLS certificate verification. Closes [#2746].
+
+# Apps
+- mosquitto_passwd uses mkstemp() for backup files.
+- `mosquitto_ctrl dynsec init` will refuse to overwrite an existing file,
+  without a race-condition.
+
+[CVE-2023-0809]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809
+[CVE-2023-28366]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27366
+[CVE-2023-3592]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592
+[#2354]: https://github.com/eclipse/mosquitto/issues/2354
+[#2634]: https://github.com/eclipse/mosquitto/issues/2634
+[#2708]: https://github.com/eclipse/mosquitto/issues/2708
+[#2722]: https://github.com/eclipse/mosquitto/issues/2722
+[#2722]: https://github.com/eclipse/mosquitto/issues/2722
+[#2732]: https://github.com/eclipse/mosquitto/issues/2732
+[#2746]: https://github.com/eclipse/mosquitto/issues/2746
+[#2749]: https://github.com/eclipse/mosquitto/issues/2749
+[#2760]: https://github.com/eclipse/mosquitto/issues/2760
+[#2794]: https://github.com/eclipse/mosquitto/issues/2794
+[#1488]: https://github.com/eclipse/mosquitto/issues/1488
+
diff --git a/www/posts/2023/08/version-2-0-17-released.md b/www/posts/2023/08/version-2-0-17-released.md
new file mode 100644
index 00000000..4dd16a48
--- /dev/null
+++ b/www/posts/2023/08/version-2-0-17-released.md
@@ -0,0 +1,24 @@
+<!--
+.. title: Version 2.0.16 released.
+.. slug: version-2-0-16-released
+.. date: 2023-08-16 12:57:38 UTC+1
+.. tags: Releases
+.. category:
+.. link:
+.. description:
+.. type: text
+-->
+
+Version 2.0.16 of Mosquitto has been released. This is a bugfix release.
+
+Broker:
+- Fix `max_queued_messages 0` stopping clients from receiving messages.
+  Closes [#2879].
+- Fix `max_inflight_messages` not being set correctly. Closes [#2876].
+
+Apps:
+- Fix `mosquitto_passwd -U` backup file creation. Closes [#2873].
+
+[#2873]: https://github.com/eclipse/mosquitto/issues/2873
+[#2876]: https://github.com/eclipse/mosquitto/issues/2876
+[#2879]: https://github.com/eclipse/mosquitto/issues/2879