Add website post and update downloads/security.

www/pages/download.md

@@ -11,8 +11,8 @@
 
 # Source
 
-* [mosquitto-1.5.2.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.2.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.1.tar.gz.asc))
-* [mosquitto-1.5.2.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.2.tar.gz) (via Eclipse)
+* [mosquitto-1.5.3.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz.asc))
+* [mosquitto-1.5.3.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.3.tar.gz) (via Eclipse)
 * [Git source code repository](https://github.com/eclipse/mosquitto) (github.com)
 
 Older downloads are available at [http://mosquitto.org/files/](../files/)
@@ -25,10 +25,8 @@ distributions.
 
 ## Windows
 
-* [mosquitto-1.5.2-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.2-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
-* [mosquitto-1.5.2-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.2-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
-
-You will also need to install Win64 OpenSSL v1.1.0 Light or Win32OpenSSL v1.1.0 Light from [slproweb.com](http://slproweb.com/products/Win32OpenSSL.html)
+* [mosquitto-1.5.3-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.3-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
+* [mosquitto-1.5.3-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.3-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
 
 See also readme-windows.txt after installing.
 

www/pages/security.md

@@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it.
 Listed with most recent first. Further information on security related issues
 can be found in the [security category].
 
+* September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2**
+  inclusive, fixed in **1.5.3**.
 * April 2018: [CVE-2017-7655] affecting versions **1.0** to **1.4.15**
   inclusive, fixed in **1.5**.
 * April 2018: [CVE-2017-7654] affecting versions **1.0** to **1.4.15**
@@ -40,6 +42,7 @@ can be found in the [security category].
   [security-advisory-cve-2017-7650].
 
 
+[security-advisory-cve-2018-12543]: /2018/09/security-advisory-cve-2018-12543/
 [security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
 [security-advisory-cve-2017-7650]: /2017/05/security-advisory-cve-2017-7650/
 [security-advisory-cve-2017-9868]: /2017/06/security-advisory-cve-2017-9868/
@@ -47,6 +50,7 @@ can be found in the [security category].
 [Eclipse Security]: https://www.eclipse.org/security/
 [security category]: /blog/categories/security/
 
+[CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
 [CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
 [CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
 [CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652

www/posts/2018/09/security-advisory-cve-2018-12543.md

@@ -0,0 +1,59 @@
+<!--
+.. title: Security advisory: CVE-2018-12543
+.. slug: security-advisory-cve-2018-12543
+.. date: 2018-09-27 10:36:19 UTC+01:00
+.. tags: Security,Releases
+.. category:
+.. link:
+.. description:
+.. type: text
+-->
+
+Mosquitto 1.5.3 has been released to address a security vulnerability. It also
+includes other bug fixes.
+
+# CVE-2018-12543
+
+A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as
+[CVE-2018-12543].
+
+If a message received by the broker has a topic that begins with `$`, but that
+does not begin `$SYS`, an assert is triggered that should otherwise not be
+accessible, causing Mosquitto to exit.
+
+The issue is fixed in Mosquitto 1.5.3. Patches for older versions are
+available at <https://mosquitto.org/files/cve/2018-12543>
+
+The fix addresses the problem by reverting a commit that intended to remove
+some unused checks, but also stopped part of the topic hierarchy being created.
+
+# Version 1.5.3 Changes
+
+The complete list of fixes addressed in version 1.5.3 is:
+
+## Security
+
+* Fix [CVE-2018-12543]. If a message is sent to Mosquitto with a topic that
+  begins with `$`, but is not `$SYS`, then an assert that should be unreachable
+  is triggered and Mosquitto will exit.
+
+## Broker
+* Elevate log level to warning for situation when socket limit is hit.
+* Remove requirement to use `user root` in snap package config files.
+* Fix retained messages not sent by bridges on outgoing topics at the first
+  connection. Closes [#701].
+* Documentation fixes. Closes [#520], [#600].
+* Fix duplicate clients being added to by_id hash before the old client was
+  removed. Closes [#645].
+* Fix Windows version not starting if `include_dir` did not contain any files.
+  Closes [#566].
+
+## Build
+* Various fixes to ease building.
+
+[CVE-2018-12543]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
+[#520]: https://github.com/eclipse/mosquitto/issues/520
+[#566]: https://github.com/eclipse/mosquitto/issues/566
+[#600]: https://github.com/eclipse/mosquitto/issues/600
+[#645]: https://github.com/eclipse/mosquitto/issues/645
+[#701]: https://github.com/eclipse/mosquitto/issues/701