debian/0000775000000000000000000000000013343561534007177 5ustar debian/mosquitto-clients.install0000664000000000000000000000016211702527514014266 0ustar usr/bin/mosquitto_pub usr/bin/mosquitto_sub usr/share/man/man1/mosquitto_pub.1 usr/share/man/man1/mosquitto_sub.1 debian/libmosquittopp0.symbols0000664000000000000000000000337611702527514013772 0ustar libmosquittopp.so.0 libmosquittopp0 #MINVER# _ZN11mosquittopp11mosquittopp10disconnectEv@Base 0.13 _ZN11mosquittopp11mosquittopp10loop_writeEv@Base 0.13 _ZN11mosquittopp11mosquittopp10on_connectEi@Base 0.13 _ZN11mosquittopp11mosquittopp10on_messageEPK17mosquitto_message@Base 0.13 _ZN11mosquittopp11mosquittopp10on_publishEt@Base 0.13 _ZN11mosquittopp11mosquittopp11lib_cleanupEv@Base 0.13 _ZN11mosquittopp11mosquittopp11lib_versionEPiS1_S1_@Base 0.13 _ZN11mosquittopp11mosquittopp11unsubscribeEPtPKc@Base 0.13 _ZN11mosquittopp11mosquittopp12on_subscribeEtiPKh@Base 0.13 _ZN11mosquittopp11mosquittopp13on_disconnectEv@Base 0.13 _ZN11mosquittopp11mosquittopp14on_unsubscribeEt@Base 0.13 _ZN11mosquittopp11mosquittopp15username_pw_setEPKcS2_@Base 0.13 _ZN11mosquittopp11mosquittopp17message_retry_setEj@Base 0.13 _ZN11mosquittopp11mosquittopp4loopEi@Base 0.13 _ZN11mosquittopp11mosquittopp6socketEv@Base 0.13 _ZN11mosquittopp11mosquittopp7connectEPKciib@Base 0.13 _ZN11mosquittopp11mosquittopp7publishEPtPKcjPKhib@Base 0.13 _ZN11mosquittopp11mosquittopp8lib_initEv@Base 0.13 _ZN11mosquittopp11mosquittopp8log_initEii@Base 0.13 _ZN11mosquittopp11mosquittopp8on_errorEv@Base 0.13 _ZN11mosquittopp11mosquittopp8will_setEbPKcjPKhib@Base 0.13 _ZN11mosquittopp11mosquittopp9loop_miscEv@Base 0.13 _ZN11mosquittopp11mosquittopp9loop_readEv@Base 0.13 _ZN11mosquittopp11mosquittopp9reconnectEv@Base 0.13 _ZN11mosquittopp11mosquittopp9subscribeEPtPKci@Base 0.13 _ZN11mosquittopp11mosquittoppC1EPKc@Base 0.13 _ZN11mosquittopp11mosquittoppC2EPKc@Base 0.13 _ZN11mosquittopp11mosquittoppD1Ev@Base 0.13 _ZN11mosquittopp11mosquittoppD2Ev@Base 0.13 _ZTIN11mosquittopp11mosquittoppE@Base 0.13 _ZTSN11mosquittopp11mosquittoppE@Base 0.13 _ZTVN11mosquittopp11mosquittoppE@Base 0.13 debian/mosquitto.postinst0000664000000000000000000000133413343553522013047 0ustar #!/bin/sh # postinst script for mosquitto # # see: dh_installdeb(1) set -e setup_mosquitto_user() { if ! getent passwd mosquitto >/dev/null; then adduser --quiet --system --no-create-home --home /var/lib/mosquitto --shell /usr/sbin/nologin mosquitto fi } fix_permissions() { chown mosquitto /var/lib/mosquitto } case "$1" in configure) setup_mosquitto_user fix_permissions ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # Reload AppArmor profile APP_PROFILE="/etc/apparmor.d/usr.sbin.mosquitto" if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then apparmor_parser -r "$APP_PROFILE" || true fi #DEBHELPER# exit 0 debian/mosquitto.docs0000664000000000000000000000003111702527514012104 0ustar compiling.txt readme.txt debian/mosquitto.postrm0000664000000000000000000000115113343553576012516 0ustar #!/bin/sh # postrm script for mosquitto # # see: dh_installdeb(1) set -e case "$1" in purge) rm -f /var/lib/mosquitto/mosquitto.db if [ -d /var/lib/mosquitto ]; then rmdir --ignore-fail-on-non-empty /var/lib/mosquitto fi APP_PROFILE="usr.sbin.mosquitto" rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true ;; remove|abort-install|abort-upgrade|disappear) if which deluser >/dev/null 2>&1; then deluser --quiet mosquitto > /dev/null || true fi ;; upgrade|failed-upgrade) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/mosquitto.install0000664000000000000000000000021511702527514012626 0ustar usr/sbin/mosquitto etc/mosquitto/mosquitto.conf usr/share/man/man8/mosquitto.8 usr/share/man/man5/mosquitto.conf.5 usr/share/man/man7/mqtt.7 debian/mosquitto.prerm0000664000000000000000000000063611702527514012314 0ustar #!/bin/sh # prerm script for mosquitto # # see: dh_installdeb(1) set -e case "$1" in remove|purge|deconfigure) if [ -x /etc/init.d/mosquitto ]; then if [ -x /usr/sbin/invoke-rc.d ]; then invoke-rc.d mosquitto stop else /etc/init.d/mosquitto stop fi fi ;; upgrade) ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/python-mosquitto.install0000664000000000000000000000013112067602700014136 0ustar usr/lib/python*/*-packages/mosquitto.py* usr/lib/python*/*-packages/mosquitto-*.egg-info debian/README.Debian0000664000000000000000000000051513343554503011237 0ustar Apparmor Profile ---------------- If your system uses AppArmor, please note that the shipped enforcing profile works with the default installation, and changes in your configuration may require changes to the installed apparmor profile. Please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this software. debian/mosquitto.upstart0000664000000000000000000000025013343553646012671 0ustar description "Mosquitto MQTT broker" author "Roger Light " start on net-device-up respawn exec /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf debian/libmosquitto0-dev.install0000664000000000000000000000012211702527514014146 0ustar usr/share/man/man3/libmosquitto.3 usr/include/mosquitto.h usr/lib/libmosquitto.so debian/patches/0000775000000000000000000000000013343555036010626 5ustar debian/patches/enable-libwrap.patch0000664000000000000000000000106311714567121014531 0ustar Description: Enable compile-time support for tcp-wrappers. Author: Roger Light Forwarded: not-needed --- a/config.h +++ b/config.h @@ -10,7 +10,7 @@ /* Uncomment to compile with tcpd/libwrap support. */ -//#define WITH_WRAP +#define WITH_WRAP /* Compile with database upgrading support? If disabled, mosquitto won't * automatically upgrade old database versions. */ --- a/config.mk +++ b/config.mk @@ -14,7 +14,7 @@ LIBS= endif -LDFLAGS= +LDFLAGS=-lwrap # Add -lwrap to LDFLAGS if compiling with tcp wrappers support. CC=gcc debian/patches/bug-acl-patterns.patch0000664000000000000000000000130412067622163015013 0ustar Description: Fix the possibility of topic access being granted when only acl_patterns is in use. Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696895 Author: Roger Light Forwarded: not-needed Origin: upstream, https://bitbucket.org/oojah/mosquitto/commits/e94254158103f8125e50b7b2fd8c292027da0354 --- a/src/security.c +++ b/src/security.c @@ -283,7 +283,7 @@ struct _mosquitto_acl *acl_root, *acl_tail; if(!db || !context || !topic) return MOSQ_ERR_INVAL; - if(!db->acl_list) return MOSQ_ERR_SUCCESS; + if(!db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS; if(!context->acl_list && !db->acl_patterns) return MOSQ_ERR_ACL_DENIED; if(context->acl_list){ debian/patches/mosquitto-0.15_cve-2017-7650.patch0000664000000000000000000000242013343554137016116 0ustar Description: Fix for CVE-207-7650. Author: Roger Light Forwarded: not-needed Origin: upstream, https://mosquitto.org/files/cve/2017-7650/mosquitto-0.15_cve-2017-7650.patch --- a/src/security.c 2017-05-23 21:38:30.143209629 +0100 +++ b/src/security.c 2017-05-23 21:40:24.209911878 +0100 @@ -346,6 +346,27 @@ } acl_root = db->acl_patterns; + + if(acl_root){ + /* We are using pattern based acls. Check whether the username or + * client id contains a +, # or / and if so deny access. + * + * Without this, a malicious client may configure its username/client + * id to bypass ACL checks (or have a username/client id that cannot + * publish or receive messages to its own place in the hierarchy). + */ + if(context->username && strpbrk(context->username, "+#/")){ + _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username); + return MOSQ_ERR_ACL_DENIED; + } + + if(context->id && strpbrk(context->id, "+#/")){ + _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id); + return MOSQ_ERR_ACL_DENIED; + } + } + + /* Loop through all pattern ACLs. */ while(acl_root){ local_topic = _mosquitto_strdup(topic); debian/patches/mosquitto-0.15_cve-2017-7651.patch0000664000000000000000000001032113256711126016112 0ustar Index: mosquitto-0.15/lib/memory_mosq.c =================================================================== --- mosquitto-0.15.orig/lib/memory_mosq.c 2018-03-28 14:57:21.805254112 +0200 +++ mosquitto-0.15/lib/memory_mosq.c 2018-03-28 14:57:21.777254112 +0200 @@ -49,8 +49,32 @@ static unsigned long max_memcount = 0; #endif +#ifdef WITH_BROKER +static size_t mem_limit = 0; +void memory__set_limit(size_t lim) +{ +#ifdef LINUX + struct rlimit r; + + r.rlim_cur = lim; + r.rlim_max = lim; + + setrlimit(RLIMIT_CPU, &r); + + mem_limit = 0; +#else + mem_limit = lim; +#endif +} +#endif + void *_mosquitto_calloc(size_t nmemb, size_t size) { +#ifdef REAL_WITH_MEMORY_TRACKING + if(mem_limit && memcount + size > mem_limit){ + return NULL; + } +#endif void *mem = calloc(nmemb, size); #ifdef REAL_WITH_MEMORY_TRACKING @@ -73,6 +97,11 @@ void *_mosquitto_malloc(size_t size) { +#ifdef REAL_WITH_MEMORY_TRACKING + if(mem_limit && memcount + size > mem_limit){ + return NULL; + } +#endif void *mem = malloc(size); #ifdef REAL_WITH_MEMORY_TRACKING @@ -99,6 +128,11 @@ void *_mosquitto_realloc(void *ptr, size_t size) { +#ifdef REAL_WITH_MEMORY_TRACKING + if(mem_limit && memcount + size > mem_limit){ + return NULL; + } +#endif void *mem; #ifdef REAL_WITH_MEMORY_TRACKING if(ptr){ @@ -119,6 +153,11 @@ char *_mosquitto_strdup(const char *s) { +#ifdef REAL_WITH_MEMORY_TRACKING + if(mem_limit && memcount + strlen(s) > mem_limit){ + return NULL; + } +#endif char *str = strdup(s); #ifdef REAL_WITH_MEMORY_TRACKING Index: mosquitto-0.15/lib/memory_mosq.h =================================================================== --- mosquitto-0.15.orig/lib/memory_mosq.h 2018-03-28 14:57:21.805254112 +0200 +++ mosquitto-0.15/lib/memory_mosq.h 2018-03-28 14:57:21.777254112 +0200 @@ -46,4 +46,8 @@ void *_mosquitto_realloc(void *ptr, size_t size); char *_mosquitto_strdup(const char *s); +#ifdef WITH_BROKER +void memory__set_limit(size_t lim); +#endif + #endif Index: mosquitto-0.15/lib/net_mosq.c =================================================================== --- mosquitto-0.15.orig/lib/net_mosq.c 2018-03-28 14:57:21.805254112 +0200 +++ mosquitto-0.15/lib/net_mosq.c 2018-03-28 14:57:21.777254112 +0200 @@ -581,6 +581,36 @@ } }while((byte & 128) != 0); +#ifdef WITH_BROKER + /* Check packet sizes before allocating memory. + * Will need modifying for MQTT v5. */ + switch(mosq->in_packet.command & 0xF0){ + case CONNECT: + if(mosq->in_packet.remaining_length > 327699){ + return MOSQ_ERR_PROTOCOL; + } + break; + + case PUBACK: + case PUBREC: + case PUBREL: + case PUBCOMP: + case UNSUBACK: + if(mosq->in_packet.remaining_length != 2){ + return MOSQ_ERR_PROTOCOL; + } + break; + + case PINGREQ: + case PINGRESP: + case DISCONNECT: + if(mosq->in_packet.remaining_length != 0){ + return MOSQ_ERR_PROTOCOL; + } + break; + } +#endif + if(mosq->in_packet.remaining_length > 0){ mosq->in_packet.payload = _mosquitto_malloc(mosq->in_packet.remaining_length*sizeof(uint8_t)); if(!mosq->in_packet.payload) return MOSQ_ERR_NOMEM; Index: mosquitto-0.15/src/conf.c =================================================================== --- mosquitto-0.15.orig/src/conf.c 2018-03-28 14:57:21.805254112 +0200 +++ mosquitto-0.15/src/conf.c 2018-03-28 15:02:11.581254540 +0200 @@ -548,6 +548,14 @@ }else{ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty max_queued_messages value in configuration."); } + }else if(!strcmp(token, "memory_limit")){ + size_t lim; + if(_conf_parse_int(&token, "memory_limit", (int *)&lim)) return MOSQ_ERR_INVAL; + if(lim < 0){ + _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid memory_limit value (%lu).", lim); + return MOSQ_ERR_INVAL; + } + memory__set_limit(lim); }else if(!strcmp(token, "mount_point")){ if(reload) continue; // Listeners not valid for reloading. if(config->listener_count == 0){ debian/patches/mosquitto-0.15_cve-2017-9868.patch0000664000000000000000000000110113124143106016111 0ustar --- a/src/persist.c +++ b/src/persist.c @@ -336,6 +336,7 @@ uint32_t i32temp; uint16_t i16temp; uint8_t i8temp; + mode_t mode; if(!db || !db->config || !db->config->persistence_filepath) return MOSQ_ERR_INVAL; _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Saving in-memory database to %s.", db->config->persistence_filepath); @@ -343,7 +344,11 @@ mqtt3_db_store_clean(db); } + /* Restrict access to persistence file. */ + mode = umask(0077); db_fptr = fopen(db->config->persistence_filepath, "wb"); + umask(mode); + if(db_fptr == NULL){ goto error; } debian/patches/fix-prefix.patch0000664000000000000000000000101311714567131013722 0ustar Description: Install to /usr instead of /usr/local Author: Roger Light Forwarded: not-needed --- a/client/Makefile +++ b/client/Makefile @@ -2,7 +2,7 @@ CFLAGS=-I../lib -Wall -ggdb LDFLAGS=-L../lib ../lib/libmosquitto.so.0 INSTALL=install -prefix=/usr/local +prefix=/usr .PHONY: all install uninstall clean --- a/config.mk +++ b/config.mk @@ -24,6 +24,6 @@ MSGFMT=msgfmt DOCBOOK2MAN=docbook2man.pl -prefix=/usr/local +prefix=/usr mandir=${prefix}/share/man localedir=${prefix}/share/locale debian/patches/bug-proto-number.patch0000664000000000000000000000130212067622614015046 0ustar Description: Fix crash and simple DoS if an invalid protocol version is provided by a client. Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696889 Author: Roger Light Forwarded: not-needed Origin: upstream, https://bitbucket.org/oojah/mosquitto/commits/55ab9587dcd575f8434fc22b141b40978158afd3 --- a/src/read_handle_server.c +++ b/src/read_handle_server.c @@ -90,7 +90,6 @@ _mosquitto_log_printf(NULL, MOSQ_LOG_INFO, "Invalid protocol version %d in CONNECT from %s.", protocol_version, context->address); } - _mosquitto_free(protocol_name); _mosquitto_send_connack(context, 1); mqtt3_context_disconnect(db, context_index); return MOSQ_ERR_PROTOCOL; debian/patches/series0000664000000000000000000000045413343554746012055 0ustar fix-prefix.patch mosquitto.conf.patch enable-libwrap.patch bug-proto-number.patch bug-persistence-reloading.patch bug-acl-patterns.patch install-apparmor.patch mosquitto-0.15_cve-2017-7650.patch mosquitto-0.15_cve-2017-9868.patch mosquitto-0.15_cve-2017-7652.patch mosquitto-0.15_cve-2017-7651.patch debian/patches/mosquitto.conf.patch0000664000000000000000000000206411714567125014643 0ustar Description: Configure sensible values for daemon. Author: Roger Light Forwarded: not-needed --- a/mosquitto.conf +++ b/mosquitto.conf @@ -121,7 +121,7 @@ # subscriptions, currently in-flight messages and retained # messages. # retained_persistence is a synonym for this option. -#persistence false +persistence true # The filename to use for the persistent database, not including # the path. @@ -130,7 +130,7 @@ # Location for persistent database. Must include trailing / # Default is an empty string (current directory). # Set to /var/lib/mosquitto/ if running as a proper service. -#persistence_location +persistence_location /var/lib/mosquitto/ # ================================================================= # Logging @@ -146,7 +146,7 @@ # where severity is one of D, E, W, N, I which are debug, error, # warning, notice and information. # Use "log_dest none" if you wish to disable logging. -#log_dest stderr +log_dest none # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. debian/patches/mosquitto-0.15_cve-2017-7652.patch0000664000000000000000000000174213257661301016122 0ustar Index: mosquitto-0.15/src/conf.c =================================================================== --- mosquitto-0.15.orig/src/conf.c 2018-03-31 12:24:03.000000000 +0200 +++ mosquitto-0.15/src/conf.c 2018-03-31 12:28:15.169624259 +0200 @@ -265,14 +265,21 @@ if(!config->config_file) return 0; +/* + * in order to avoid CVE-2017-7652, we first try to open the config file + * and afterwards init and read in the stuff + * as this is only one function, mqtt3_config_read(), doing this config + * file reading, this is easier than totally reworking config file + * reading + */ + fptr = fopen(config->config_file, "rt"); + if(!fptr) return 1; + if(reload){ /* Re-initialise appropriate config vars to default for reload. */ _config_init_reload(config); } - fptr = fopen(config->config_file, "rt"); - if(!fptr) return 1; - while(fgets(buf, 1024, fptr)){ if(buf[0] != '#' && buf[0] != 10 && buf[0] != 13){ while(buf[strlen(buf)-1] == 10 || buf[strlen(buf)-1] == 13){ debian/patches/install-apparmor.patch0000664000000000000000000000110213343553745015133 0ustar Description: Install upstream provided apparmor profile. Author: Roger Light --- a/Makefile +++ b/Makefile @@ -23,6 +23,8 @@ $(INSTALL) -m 644 mosquitto.conf ${DESTDIR}/etc/mosquitto/mosquitto.conf $(INSTALL) -m 644 aclfile.example ${DESTDIR}/etc/mosquitto/aclfile.example $(INSTALL) -m 644 pwfile.example ${DESTDIR}/etc/mosquitto/pwfile.example + $(INSTALL) -d ${DESTDIR}/etc/apparmor.d + $(INSTALL) -m 644 security/mosquitto.apparmor ${DESTDIR}/etc/apparmor.d/usr.sbin.mosquitto uninstall : @for d in ${DIRS}; do $(MAKE) -C $${d} uninstall; done debian/patches/bug-persistence-reloading.patch0000664000000000000000000000177212067622114016711 0ustar Description: Fix persistence option reloading. Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696891 Author: Roger Light Forwarded: not-needed Origin: upstream, https://bitbucket.org/oojah/mosquitto/commits/12bc254794c07b348e709a459b4fe7286ccf9470 --- a/src/conf.c +++ b/src/conf.c @@ -602,10 +602,8 @@ }else if(!strcmp(token, "persistence") || !strcmp(token, "retained_persistence")){ if(_conf_parse_bool(&token, token, &config->persistence)) return MOSQ_ERR_INVAL; }else if(!strcmp(token, "persistence_file")){ - if(reload) continue; // FIXME if(_conf_parse_string(&token, "persistence_file", &config->persistence_file)) return MOSQ_ERR_INVAL; }else if(!strcmp(token, "persistence_location")){ - if(reload) continue; // FIXME if(_conf_parse_string(&token, "persistence_location", &config->persistence_location)) return MOSQ_ERR_INVAL; }else if(!strcmp(token, "pid_file")){ if(reload) continue; // pid file not valid for reloading. debian/copyright0000664000000000000000000000331011714565623011132 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mosquitto Upstream-Contact: Roger A. Light Source: http://mosquitto.org/files/source/ Files: * Copyright: 2009-2012 Roger A. Light License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of mosquitto nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/source/0000775000000000000000000000000011702527514010474 5ustar debian/source/format0000664000000000000000000000001411702527514011702 0ustar 3.0 (quilt) debian/changelog0000664000000000000000000001110613343561534011050 0ustar mosquitto (0.15-2+deb7u3ubuntu0.1) trusty-security; urgency=medium * Merge from Debian. Remaining changes: - Install apparmor profile. - Replace init script with upstart script. -- Eduardo Barretto Tue, 04 Sep 2018 16:54:44 -0300 mosquitto (0.15-2+deb7u3) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-7651 fix to avoid extraordinary memory consumption by crafted CONNECT packet from unauthenticated client * CVE-2017-7652 in case all sockets/file descriptors are exhausted, this is a fix to avoid default config values after reloading configuration by SIGHUP signal -- Thorsten Alteholz Sat, 31 Mar 2018 12:03:02 +0100 mosquitto (0.15-2+deb7u2) wheezy-security; urgency=high * SECURITY UPDATE: Persistence file is world readable, which may expose sensitive data. - debian/patches/mosquitto-0.15_cve-2017-9868.patch: Set umask to restrict persistence file read access to owner. - CVE-2017-9868 -- Roger A. Light Mon, 26 Jun 2017 09:31:02 +0100 mosquitto (0.15-2+deb7u1) wheezy-security; urgency=high * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#'. - debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 -- Roger A. Light Tue, 23 May 2017 22:14:40 +0100 mosquitto (0.15-2ubuntu1.2) trusty-security; urgency=low * SECURITY UPDATE: Persistence file is world readable, which may expose sensitive data (LP: #1700490). - debian/patches/mosquitto-1.3.4_cve-2017-9868.patch: Set umask to restrict persistence file read access to owner. - CVE-2017-9868 -- Roger A. Light Mon, 26 Jun 2017 09:31:02 +0100 mosquitto (0.15-2ubuntu1.1) trusty-security; urgency=low * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#' (LP: #1692818). - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 -- Roger A. Light Tue, 23 May 2017 22:14:40 +0100 mosquitto (0.15-2ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - Install apparmor profile. - Replace init script with upstart script. * debian/patches/fix-972389.patch: Drop, as it was applied in Debian as bug-proto-number.patch. -- Logan Rosen Fri, 23 Aug 2013 15:09:02 -0400 mosquitto (0.15-2) unstable; urgency=low * Fix broker crash when a client connects with a bad protocol version. (Closes: #696889) * Fix the possibility of topic access being granted when only acl_patterns is in use. (Closes: #696895) * Fix persistence option reloading. (Closes: #696891) -- Roger A. Light Fri, 28 Dec 2012 22:55:03 +0000 mosquitto (0.15-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2012/02/version-0-15-released/ * Updated debian/copyright to latest DEP-5. * Removed now unnecessary man-hyphen-minus.patch. -- Roger A. Light Sun, 05 Feb 2012 09:30:22 +0000 mosquitto (0.15-0ubuntu2) raring; urgency=low * Fix server crash on incorrect protocol number. (LP: #972389) -- Roger A. Light Thu, 16 Aug 2012 16:30:34 +0100 mosquitto (0.15-0ubuntu1) precise; urgency=low * New upstream release. (LP: #928556) * Install apparmor profile. (LP: #836005) * Replace init script with upstart script. (LP: #817175) * Update debian/copyright to latest format. -- Roger A. Light Tue, 07 Feb 2012 23:21:39 +0000 mosquitto (0.12-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2011/07/version-0-12-released/ -- Roger A. Light Mon, 25 Jul 2011 22:24:52 +0100 mosquitto (0.11.3-1) unstable; urgency=low * New upstream release: http://mosquitto.org/2011/07/version-0-11-3-released/ * Fix init script start action to create pidfile so stop works correctly. (thanks to Mark Hindess, closes: #632589) * Fix section for client libraries in debian/control. * Remove disable-cmake.patch, this is handled in debian/rules now. -- Roger A. Light Wed, 6 July 2011 15:07:04 +0100 mosquitto (0.10-1) unstable; urgency=low * Initial release. (Closes: #605319) -- Roger A. Light Sun, 1 May 2011 20:12:51 +0100 debian/control0000664000000000000000000001037613343562075010612 0ustar Source: mosquitto Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Roger A. Light Build-Depends: debhelper (>= 7.0.50~), libwrap0-dev, python-setuptools, python-support, python (>= 2.5) Standards-Version: 3.9.2 Homepage: http://mosquitto.org/ Vcs-Hg: http://bitbucket.org/oojah/mosquitto-packaging Vcs-Browser: http://bitbucket.org/oojah/mosquitto-packaging/src Package: mosquitto Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, adduser (>= 3.10), lsb-base (>=3.2-13), apparmor Description: MQTT version 3.1 compatible message broker This is a message broker that supports version 3.1 of the MQ Telemetry Transport protocol. . MQTT provides a method of carrying out messaging using a publish/subscribe model. It is lightweight, both in terms of bandwidth usage and ease of implementation. This makes it particularly useful at the edge of the network where a sensor or other simple device may be implemented using an arduino for example. Package: libmosquitto0 Section: libs Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: MQTT version 3.1 client library This is a C library for implementing MQTT version 3.1 clients. . MQTT provides a method of carrying out messaging using a publish/subscribe model. It is lightweight, both in terms of bandwidth usage and ease of implementation. This makes it particularly useful at the edge of the network where a sensor or other simple device may be implemented using an arduino for example. Package: libmosquitto0-dev Section: libdevel Architecture: all Depends: ${misc:Depends}, libmosquitto0 (>= ${source:Version}), libmosquitto0 (<< ${source:Version}.1~) Description: MQTT version 3.1 client library, development files This is the header and man page for the libmosquitto0 C library, which is a library for implementing MQTT version 3.1 clients. This package is needed to do development with libmosquitto0. Package: libmosquittopp0 Section: libs Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libmosquitto0 (= ${binary:Version}) Description: MQTT version 3.1 client C++ library This is a C++ library for implementing MQTT version 3.1 clients. . MQTT provides a method of carrying out messaging using a publish/subscribe model. It is lightweight, both in terms of bandwidth usage and ease of implementation. This makes it particularly useful at the edge of the network where a sensor or other simple device may be implemented using an arduino for example. Package: libmosquittopp0-dev Section: libdevel Architecture: all Depends: ${misc:Depends}, libmosquittopp0 (>= ${source:Version}), libmosquittopp0 (<< ${source:Version}.1~) Description: MQTT version 3.1 client C++ library, development files This is the header and man page for the libmosquittopp0 C++ library, which is a library for implementing MQTT version 3.1 clients. This package is needed to do development with libmosquittopp0. Package: mosquitto-clients Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libmosquitto0 (= ${binary:Version}) Description: Mosquitto command line MQTT clients This is two MQTT version 3.1 command line clients. mosquitto_pub can be used to publish messages to a broker and mosquitto_sub can be used to subscribe to a topic to receive messages. . MQTT provides a method of carrying out messaging using a publish/subscribe model. It is lightweight, both in terms of bandwidth usage and ease of implementation. This makes it particularly useful at the edge of the network where a sensor or other simple device may be implemented using an arduino for example. Package: python-mosquitto Section: python Architecture: all Depends: ${python:Depends}, ${misc:Depends}, python (>= 2.5), libmosquitto0 (>= ${source:Version}), libmosquitto0 (<< ${source:Version}.1~) Description: MQTT version 3.1 client library, python bindings This is a Python module for implementing MQTT version 3.1 clients. . MQTT provides a method of carrying out messaging using a publish/subscribe model. It is lightweight, both in terms of bandwidth usage and ease of implementation. This makes it particularly useful at the edge of the network where a sensor or other simple device may be implemented using an arduino for example. debian/rules0000775000000000000000000000023412067603467010262 0ustar #!/usr/bin/make -f %: dh $@ override_dh_installchangelogs: dh_installchangelogs ChangeLog.txt override_dh_auto_configure: # Don't process CMake rules. debian/libmosquitto0.symbols0000664000000000000000000000214411702527514013422 0ustar libmosquitto.so.0 libmosquitto0 #MINVER# VERS_0.12@VERS_0.12 0.12 VERS_0.9@VERS_0.9 0.9 mosquitto_connect@VERS_0.9 0.9 mosquitto_connect_callback_set@VERS_0.9 0.9 mosquitto_destroy@VERS_0.9 0.9 mosquitto_disconnect@VERS_0.9 0.9 mosquitto_disconnect_callback_set@VERS_0.9 0.9 mosquitto_lib_cleanup@VERS_0.9 0.9 mosquitto_lib_init@VERS_0.9 0.9 mosquitto_lib_version@VERS_0.9 0.9 mosquitto_log_init@VERS_0.9 0.9 mosquitto_loop@VERS_0.9 0.9 mosquitto_loop_misc@VERS_0.9 0.9 mosquitto_loop_read@VERS_0.9 0.9 mosquitto_loop_write@VERS_0.9 0.9 mosquitto_message_callback_set@VERS_0.9 0.9 mosquitto_message_copy@VERS_0.9 0.9 mosquitto_message_free@VERS_0.9 0.9 mosquitto_message_retry_set@VERS_0.9 0.9 mosquitto_new@VERS_0.9 0.9 mosquitto_publish@VERS_0.9 0.9 mosquitto_publish_callback_set@VERS_0.9 0.9 mosquitto_reconnect@VERS_0.12 0.12 mosquitto_socket@VERS_0.9 0.9 mosquitto_subscribe@VERS_0.9 0.9 mosquitto_subscribe_callback_set@VERS_0.9 0.9 mosquitto_unsubscribe@VERS_0.9 0.9 mosquitto_unsubscribe_callback_set@VERS_0.9 0.9 mosquitto_username_pw_set@VERS_0.9 0.9 mosquitto_will_set@VERS_0.9 0.9 debian/watch0000664000000000000000000000010511702527514010221 0ustar version=3 http://mosquitto.org/files/source/mosquitto-(.*)\.tar\.gz debian/compat0000664000000000000000000000000212067601513010367 0ustar 7 debian/mosquitto.dirs0000664000000000000000000000002211702527514012115 0ustar var/lib/mosquitto debian/libmosquitto0.install0000664000000000000000000000003211702527514013372 0ustar usr/lib/libmosquitto.so.0 debian/pyversions0000664000000000000000000000000511702527514011333 0ustar 2.5- debian/libmosquittopp0-dev.install0000664000000000000000000000006411702527514014513 0ustar usr/include/mosquittopp.h usr/lib/libmosquittopp.so debian/libmosquittopp0.install0000664000000000000000000000003411702527514013734 0ustar usr/lib/libmosquittopp.so.0