Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1364
mosquitto security update
31 May 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mosquitto
Publisher: Debian
Operating System: Debian GNU/Linux 8
Linux variants
OS X
Windows
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-7650
Original Bulletin:
http://www.debian.org/security/2017/dsa-3865
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running mosquitto check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3865-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 29, 2017 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : mosquitto
CVE ID : CVE-2017-7650
It was discovered that pattern-based ACLs in the Mosquitto MQTT broker
could be bypassed.
For the stable distribution (jessie), this problem has been fixed in
version 1.3.4-2+deb8u1.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.10-3.
We recommend that you upgrade your mosquitto packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlksi7wACgkQEMKTtsN8
TjbsvxAApk5MtkqWRnJNlPRNb/HNMU5of+Imk+PdHn/y9pIXpqpSoLxZ07gp6wz0
Vo6kZoLmqqwFYCfz5+WMm1c6cWc/eYsA+mzXawE0SeRGYbZuLhgWi/YS05KhsI8R
Gru8FLZRoiYBd7leVhZ8Sx7yWOaPmPCpIuaEPeyVNk038d2Ohmvzc2c//+MFangB
LqiT8ZxQoZtkwf/f8IjXnNBZPKOuZWYEUdfWORDaTAphS8FDQJXE7NW+ekNF+J7T
nFdesxRXvS4nTy6TsfQvEv5e+uB0bDG64zoVG7h3eW4NT+V0JlHy3hnsKjYLAc+R
9NgBq8EWFqaNiCnKvzHNiznRsAKPRzLA1+DGqIT8GrJrX6X6/asiml2Zxq1FOHA+
tvsilvfF3dcEQzAYNdwhNrF5JhFa/by/tEIF7f4eqgM4lmHxabTPOC/A/p0GrBvk
I36u4q/XvJMgiRzMBw7DeAGkLMzB8FDhZ6MPrZDaosk6SOPv6r3lIC3hH+hPLAeM
uOzKs/lSSpMzQGs1HZKtMxxHr3ZPCvHlPnkcnLLpOsYBWy4fZ+6KhlkjIlt+IbOr
P3eHECW86kuTkdqhwn69d/o550dGmEyZ2ZUZrJlhHmPDUayjDGvPTJguEVzhEfCf
fDgup/zwoBQ+9U6gKB3RJgKt61jU/Hd76MvAU4wAHQQrJDam7og=
=agFI
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWS446ox+lLeg9Ub1AQijTA//VhSKJFz+4kSaqgCI3h1w6ymPki3weGit
yeBt3QRQuk7WBHGm+jURxUJV+rHX0nHT5nT5iwpV6+YrDUtNGD8aVlIQPwEoxJfN
4+2t0aQM3GLio6ueyyOm/lm5cL+SJvlZNmLUQpC1WADdPxZ+j9mz9ud3eGsSms3g
qUWuVMJc4gdBMLT6H0L3ylYQO14evl1FYMfw4BgEXKlBUZiSWoAz3Gxhzt2j/PuZ
qE630ZIRnD5Bb7xV5Mp7opAPUdYPZ3SYL3OrTOYS2HOJV24lVWCOgiR1yndIMsRX
1wn7LyVZdFczpE9wUH5ZC7bJxbwevgkEPhSA5D/KWK2j4zk5vMITwxr7FbafEEln
X8FIJDFaKlbXBSCLoKJfAjn5ifXKn9BS/b6QYNzBJKIGh3oKYfLnmMnKeQyVtfNL
6O1v/TIiILv7XAsokl0MogUae6h19JTzwtfKZLs9Gp7tXbiueEpBDlMzOWjhjbhc
ELW0Fbbc/fgrEvAxdBa1YtaLBmaRVVcTRh9o18xaVgVapRLuFl7T2VUzhV2gSl+P
jJnHiWVCIsEMkdPLFjDY5NRkx1dNatJpoS3vq3AB+V6BGtrzxx9Bt6BsdDThRyfT
YwbTy8YQPedfyzdXJPrEuSHiRRaKAL5eu7SkK7NTIbLadQd1eKXACRInov9Et1XZ
qjjKCPPzBL0=
=6IVj
-----END PGP SIGNATURE-----