Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mosquitto for openSUSE:Factory checked in at 2021-10-12 23:16:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mosquitto (Old) and /work/SRC/openSUSE:Factory/.mosquitto.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mosquitto" Tue Oct 12 23:16:43 2021 rev:24 rq:924936 version:2.0.12 Changes: -------- --- /work/SRC/openSUSE:Factory/mosquitto/mosquitto.changes 2021-10-08 00:07:32.685905313 +0200 +++ /work/SRC/openSUSE:Factory/.mosquitto.new.2443/mosquitto.changes 2021-10-12 23:16:46.174782033 +0200 @@ -7,0 +8,75 @@ +Wed Sep 1 19:18:24 UTC 2021 - Martin Hauke <[email protected]> + +- Update to version 2.0.12 + * Includes security fixes for + CVE-2021-34434 (bsc#1190048) and CVE-2020-13849 (bsc#1190101) + Security : + * An MQTT v5 client connecting with a large number of + user-property properties could cause excessive CPU usage, + leading to a loss of performance and possible denial of + service. This has been fixed. + * Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1 + connections. These clients are now rejected if their keepalive + value exceeds max_keepalive. This option allows CVE-2020-13849, + which is for the MQTT v3.1.1 protocol itself rather than an + implementation, to be addressed. + * Using certain listener related configuration options e.g. + `cafile`, that apply to the default listener without defining + any listener would cause a remotely accessible listener to be + opened that was not confined to the local machine but did have + anonymous access enabled, contrary to the documentation. + This has been fixed. Closes #2283. + * CVE-2021-34434: If a plugin had granted ACL subscription access + to a durable/non-clean-session client, then removed that + access,the client would keep its existing subscription. This + has been fixed. + * Incoming QoS 2 messages that had not completed the QoS flow + were not being checked for ACL access when a clean + session=False client was reconnecting. This has been fixed. + Broker: + * Fix possible out of bounds memory reads when reading a + corrupt/crafted configuration file. Unless your configuration + file is writable by untrusted users this is not a risk. + * Fix `max_connections` option not being correctly counted. + * Fix TLS certificates and TLS-PSK not being able to be + configured at the same time. + * Disable TLS v1.3 when using TLS-PSK, because it isn't correctly + configured. + * Fix `max_keepalive` not applying to MQTT v3.1.1 and v3.1 + connections. These clients are now rejected if their keepalive + value exceeds max_keepalive. + * Fix broker not quiting if e.g. the `password_file` is specified + as a directory. Closes #2241. + * Fix listener mount_point not being removed on outgoing messages. + * Strict protocol compliance fixes, plus test suite. + * Fix $share subscriptions not being recovered for durable + clients that reconnect. + * Update plugin configuration documentation. Closes #2286. + Client library: + * If a client uses TLS-PSK then force the default cipher list to + use "PSK" ciphers only. This means that a client connecting to + a broker configured with x509 certificates only will now fail. + Prior to this, the client would connect successfully without# + verifying certificates, because they were not configured. + * Disable TLS v1.3 when using TLS-PSK, because it isn't correctly + configured. + * Threaded mode is deconfigured when the mosquitto_loop_start() + thread ends, which allows mosquitto_loop_start() to be called + again. + * Fix MOSQ_OPT_SSL_CTX not being able to be set to NULL. + * Fix reconnecting failing when MOSQ_OPT_TLS_USE_OS_CERTS was in + use, but none of capath, cafile, psk, nor MOSQ_OPT_SSL_CTX were + set, and MOSQ_OPT_SSL_CTX_WITH_DEFAULTS was set to the default + value of true. + Apps: + * Fix `mosquitto_ctrl dynsec setDefaultACLAccess` command not + working. + Clients: + * Document TLS certificate behaviour when using `-p 8883`. + Build: + * Fix installation using WITH_TLS=no. Closes #2281. + * Fix builds with libressl 3.4.0. Closes #2198. + * Remove some unnecessary code guards related to libressl. + * Fix printf format build warning on MIPS. Closes #2271. + +------------------------------------------------------------------- Old: ---- mosquitto-2.0.11.tar.gz mosquitto-2.0.11.tar.gz.sig New: ---- mosquitto-2.0.12.tar.gz mosquitto-2.0.12.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mosquitto.spec ++++++ --- /var/tmp/diff_new_pack.gRcE0L/_old 2021-10-12 23:16:46.874782906 +0200 +++ /var/tmp/diff_new_pack.gRcE0L/_new 2021-10-12 23:16:46.878782911 +0200 @@ -20,7 +20,7 @@ %define c_lib libmosquitto1 %define cpp_lib libmosquittopp1 Name: mosquitto -Version: 2.0.11 +Version: 2.0.12 Release: 0 Summary: A MQTT v3.1/v3.1.1 Broker License: EPL-1.0 ++++++ mosquitto-2.0.11.tar.gz -> mosquitto-2.0.12.tar.gz ++++++ ++++ 12151 lines of diff (skipped)
