Operating System:

[Debian]

Published:

28 October 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3965
                         mosquitto security update
                              28 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mosquitto
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11779 CVE-2018-12551 CVE-2018-12550
                   CVE-2017-7655  

Reference:         ESB-2019.3584
                   ESB-2019.0500
                   ESB-2019.0409

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mosquitto
Version        : 1.3.4-2+deb8u4
CVE ID         : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551
                  CVE-2019-11779


Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 
compatible message broker.

CVE-2017-7655

      A Null dereference vulnerability in the Mosquitto library could
      lead to crashes for those applications using the library.


CVE-2018-12550

      An ACL file with no statements was treated as having a default
      allow policy. The new behaviour of an empty ACL file is a default
      policy of access denied.
      (this is in compliance with all newer releases)


CVE-2018-12551

      Malformed authentication data in the password file could allow
      clients to circumvent authentication and get access to the broker.


CVE-2019-11779

      Fix for processing a crafted SUBSCRIBE packet containing a topic
      that consists of approximately 65400 or more '/' characters.
      (setting TOPIC_HIERARCHY_LIMIT to 200)


For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl20u51fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEcmwA//f1rJ+ufl6ko7o8BEs7yWKlJh5H2KcfRZ9gvUmyAG7WyPF61MzzJ9swXu
dPW+SPqj7ln7umXaoNH0y8ErnYdzTYADdTxrNKo1pwoyXP4r0iOu5xadVUMmRO22
KGTs9OvGv2eqdFi+u33Zo3zmICL7DVHM7bLkG6yoDX2HimOa8HX33PurUF/C44CB
T7ebvmvGhUkiwOScXAYOagTCHsHdrJ5Yd+olMLr0i1O7RbqPzRH/szkcn0GlUenJ
RRPt7lQN1MjjN37Q0NkbyIHkSap/CvQuH+bO4dgea/TGEZ8OdAdSAhx8lGXD8Re3
x9n2r+GR0SbAa8aqXvaZs5t8fIfGSwkIoJkjJKIYx/d+L95qv25aCCHcgR/FyOVR
36Ae2utjlv6bqQhCiov9dkdJVHhrvY07it26jofhZYpQ9sZ+18eIZLG4lqILNhbb
vyQG7jVV/Pui1CU6HPdFRuKr9IxiVA/hQg7qtJuMUxAEjrx2D/c3F9BtOTRtYECW
arDpDfyCG4hK5NpdDqhW2K68/w9J7iLcZ+oYyTg6OblllJ6EN4th+PnCrcurjJGS
WYU7LHIUhpRPmTmPqdFv/t8lL0VrIPW5Lgbuxj65z3bs7NmKUAHwkJNz/YDwdr/i
Q8oLPhBNmg2sS4HjJ4fTOYGrsY+osiMuQ6daVj+dC9nJ4A/+sdU=
=5fhd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbZSTGaOgq3Tt24GAQjZXxAAnFVd5CnATX95iBIdqSWSkRtsAeGJTmI1
QuPQpOKfXT6mjCa2kjM6sddOdaPyPmfDY5lpn42+rWXdHy/W8D28/8qignKsgqul
pSmFBIuic4UlQyLEGVGhG6Gl1wzJnVn4pFnw077Ci6URy/l3Cs8Wff9CdQUV751P
I99pJbZO6qVLg0G5jN9PBM8W58YGUcAFJkgf5bunc8f8zfi+HZDd67S1h88Gr9EU
+jR01fwrNzAYCh65AG6He2I2AK/zXcmeMx3vxGisNt+Gmj1DfSHgTNtiNaTe2WmS
QxM7CU641nKouckSkuNBTJtsUkyYnRitFVezrkdqABfo1JmtXY/WRrIHsMcnQlIx
dHg2V3y+52Fir15RbB6gMSGZ4/Y7Zhn62PXL/hr8LfOHqe2gqEvqIKs33BDMdVwl
hDZVgMPYJpcuCU78MvRztrL+1QWom4l0FMu/fap3qWxAEFe9vIJRbJ1V6DRWkjna
zLj/kC5h6pmGYl3hJ7ULM9cVNd4v5b7ZY35NjoHpCctu9KOB72AgT9gcMes1NVD8
a3jL+Kfjo8VF1a2SnxD7e8/3MaLsDHP898qIARnPvq8DudvVX0UMxixnv218Ff7L
2XvcnfauT0TGboxB+8+BdehLCwXneULf/dfULW/6UGLQf+Cm5Bz6amOOQZ23lTXX
2HAtwBWuAfs=
=Y4Sv
-----END PGP SIGNATURE-----