Add website post and update downloads/security.
This commit is contained in:
parent
1684feabe9
commit
46b943b077
@ -11,8 +11,8 @@
|
|||||||
|
|
||||||
# Source
|
# Source
|
||||||
|
|
||||||
* [mosquitto-1.5.2.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.2.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.1.tar.gz.asc))
|
* [mosquitto-1.5.3.tar.gz](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz) (319kB) ([GPG signature](http://mosquitto.org/files/source/mosquitto-1.5.3.tar.gz.asc))
|
||||||
* [mosquitto-1.5.2.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.2.tar.gz) (via Eclipse)
|
* [mosquitto-1.5.3.tar.gz](http://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.3.tar.gz) (via Eclipse)
|
||||||
* [Git source code repository](https://github.com/eclipse/mosquitto) (github.com)
|
* [Git source code repository](https://github.com/eclipse/mosquitto) (github.com)
|
||||||
|
|
||||||
Older downloads are available at [http://mosquitto.org/files/](../files/)
|
Older downloads are available at [http://mosquitto.org/files/](../files/)
|
||||||
@ -25,10 +25,8 @@ distributions.
|
|||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
* [mosquitto-1.5.2-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.2-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
|
* [mosquitto-1.5.3-install-windows-x64.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win64/mosquitto-1.5.3-install-windows-x64.exe) (~360 kB) (64-bit build, Windows Vista and up, built with Visual Studio Community 2017)
|
||||||
* [mosquitto-1.5.2-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.2-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
|
* [mosquitto-1.5.3-install-windows-x32.exe](http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.5.3-install-windows-x86.exe) (~360 kB) (32-bit build, Windows Vista and up, built with Visual Studio Community 2017)
|
||||||
|
|
||||||
You will also need to install Win64 OpenSSL v1.1.0 Light or Win32OpenSSL v1.1.0 Light from [slproweb.com](http://slproweb.com/products/Win32OpenSSL.html)
|
|
||||||
|
|
||||||
See also readme-windows.txt after installing.
|
See also readme-windows.txt after installing.
|
||||||
|
|
||||||
|
@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it.
|
|||||||
Listed with most recent first. Further information on security related issues
|
Listed with most recent first. Further information on security related issues
|
||||||
can be found in the [security category].
|
can be found in the [security category].
|
||||||
|
|
||||||
|
* September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2**
|
||||||
|
inclusive, fixed in **1.5.3**.
|
||||||
* April 2018: [CVE-2017-7655] affecting versions **1.0** to **1.4.15**
|
* April 2018: [CVE-2017-7655] affecting versions **1.0** to **1.4.15**
|
||||||
inclusive, fixed in **1.5**.
|
inclusive, fixed in **1.5**.
|
||||||
* April 2018: [CVE-2017-7654] affecting versions **1.0** to **1.4.15**
|
* April 2018: [CVE-2017-7654] affecting versions **1.0** to **1.4.15**
|
||||||
@ -40,6 +42,7 @@ can be found in the [security category].
|
|||||||
[security-advisory-cve-2017-7650].
|
[security-advisory-cve-2017-7650].
|
||||||
|
|
||||||
|
|
||||||
|
[security-advisory-cve-2018-12543]: /2018/09/security-advisory-cve-2018-12543/
|
||||||
[security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
|
[security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
|
||||||
[security-advisory-cve-2017-7650]: /2017/05/security-advisory-cve-2017-7650/
|
[security-advisory-cve-2017-7650]: /2017/05/security-advisory-cve-2017-7650/
|
||||||
[security-advisory-cve-2017-9868]: /2017/06/security-advisory-cve-2017-9868/
|
[security-advisory-cve-2017-9868]: /2017/06/security-advisory-cve-2017-9868/
|
||||||
@ -47,6 +50,7 @@ can be found in the [security category].
|
|||||||
[Eclipse Security]: https://www.eclipse.org/security/
|
[Eclipse Security]: https://www.eclipse.org/security/
|
||||||
[security category]: /blog/categories/security/
|
[security category]: /blog/categories/security/
|
||||||
|
|
||||||
|
[CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
|
||||||
[CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
|
[CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
|
||||||
[CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
|
[CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
|
||||||
[CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
|
[CVE-2017-7654]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652
|
||||||
|
59
www/posts/2018/09/security-advisory-cve-2018-12543.md
Normal file
59
www/posts/2018/09/security-advisory-cve-2018-12543.md
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
<!--
|
||||||
|
.. title: Security advisory: CVE-2018-12543
|
||||||
|
.. slug: security-advisory-cve-2018-12543
|
||||||
|
.. date: 2018-09-27 10:36:19 UTC+01:00
|
||||||
|
.. tags: Security,Releases
|
||||||
|
.. category:
|
||||||
|
.. link:
|
||||||
|
.. description:
|
||||||
|
.. type: text
|
||||||
|
-->
|
||||||
|
|
||||||
|
Mosquitto 1.5.3 has been released to address a security vulnerability. It also
|
||||||
|
includes other bug fixes.
|
||||||
|
|
||||||
|
# CVE-2018-12543
|
||||||
|
|
||||||
|
A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as
|
||||||
|
[CVE-2018-12543].
|
||||||
|
|
||||||
|
If a message received by the broker has a topic that begins with `$`, but that
|
||||||
|
does not begin `$SYS`, an assert is triggered that should otherwise not be
|
||||||
|
accessible, causing Mosquitto to exit.
|
||||||
|
|
||||||
|
The issue is fixed in Mosquitto 1.5.3. Patches for older versions are
|
||||||
|
available at <https://mosquitto.org/files/cve/2018-12543>
|
||||||
|
|
||||||
|
The fix addresses the problem by reverting a commit that intended to remove
|
||||||
|
some unused checks, but also stopped part of the topic hierarchy being created.
|
||||||
|
|
||||||
|
# Version 1.5.3 Changes
|
||||||
|
|
||||||
|
The complete list of fixes addressed in version 1.5.3 is:
|
||||||
|
|
||||||
|
## Security
|
||||||
|
|
||||||
|
* Fix [CVE-2018-12543]. If a message is sent to Mosquitto with a topic that
|
||||||
|
begins with `$`, but is not `$SYS`, then an assert that should be unreachable
|
||||||
|
is triggered and Mosquitto will exit.
|
||||||
|
|
||||||
|
## Broker
|
||||||
|
* Elevate log level to warning for situation when socket limit is hit.
|
||||||
|
* Remove requirement to use `user root` in snap package config files.
|
||||||
|
* Fix retained messages not sent by bridges on outgoing topics at the first
|
||||||
|
connection. Closes [#701].
|
||||||
|
* Documentation fixes. Closes [#520], [#600].
|
||||||
|
* Fix duplicate clients being added to by_id hash before the old client was
|
||||||
|
removed. Closes [#645].
|
||||||
|
* Fix Windows version not starting if `include_dir` did not contain any files.
|
||||||
|
Closes [#566].
|
||||||
|
|
||||||
|
## Build
|
||||||
|
* Various fixes to ease building.
|
||||||
|
|
||||||
|
[CVE-2018-12543]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
|
||||||
|
[#520]: https://github.com/eclipse/mosquitto/issues/520
|
||||||
|
[#566]: https://github.com/eclipse/mosquitto/issues/566
|
||||||
|
[#600]: https://github.com/eclipse/mosquitto/issues/600
|
||||||
|
[#645]: https://github.com/eclipse/mosquitto/issues/645
|
||||||
|
[#701]: https://github.com/eclipse/mosquitto/issues/701
|
Loading…
Reference in New Issue
Block a user