1.6.7 =====
Broker :
Add workaround for working with libwebsockets 3.2.0.
Fix potential crash when reloading config.
Client library :
Don’t use / in autogenerated client ids, to avoid confusing with topics.
Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(…, MOSQ_OPT_*_MAX, …) behaviour.
Fix regression on use of mosquitto_connect_async() not working.
Clients :
mosquitto_sub: Fix -E incorrectly not working unless -d was also specified.
Updated documentation around automatic client ids.
1.6.6 =====
Security :
CVE-2019-11779
Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
Broker :
Restrict topic hierarchy to 200 levels to prevent possible stack overflow.
mosquitto_passwd now returns 1 when attempting to update a user that does not exist.
1.6.5 =====
Broker :
Fix v5 DISCONNECT packets with remaining length == 2 being treated as a protocol error.
Fix support for libwebsockets 3.x.
Fix slow websockets performance when sending large messages.
Fix bridges potentially not connecting on Windows.
Fix clients authorised using use_identity_as_username
or use_subject_as_username
being disconnected on SIGHUP.
Improve error messages in some situations when clients disconnect. Reduces the number of ‘Socket error on client X, disconnecting’ messages.
Fix Will for v5 clients not being sent if will delay interval was greater than the session expiry interval.
Fix CRL file not being reloaded on HUP.
Fix repeated ‘Error in poll’ messages on Windows when only websockets listeners are defined.
Client library :
Fix reconnect backoff for the situation where connections are dropped rather than refused.
Fix missing locks on mosq->state
.
Documentation :
Improve details on global/per listener options in the mosquitto.conf man page.
Clarify behaviour when clients exceed the message_size_limit
.
Improve documentation for max_inflight_bytes
, max_inflight_messages
, and max_queued_messages
.
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2019-8b83c261dd.
#
include('compat.inc');
if (description)
{
script_id(129633);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");
script_cve_id("CVE-2019-11779");
script_xref(name:"FEDORA", value:"2019-8b83c261dd");
script_name(english:"Fedora 30 : mosquitto (2019-8b83c261dd)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing a security update.");
script_set_attribute(attribute:"description", value:
"1.6.7 =====
Broker :
- Add workaround for working with libwebsockets 3.2.0.
- Fix potential crash when reloading config.
Client library :
- Don't use / in autogenerated client ids, to avoid
confusing with topics.
- Fix mosquitto_max_inflight_messages_set() and
mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...)
behaviour.
- Fix regression on use of mosquitto_connect_async() not
working.
Clients :
- mosquitto_sub: Fix -E incorrectly not working unless -d
was also specified.
- Updated documentation around automatic client ids.
1.6.6 =====
Security :
- CVE-2019-11779
- Restrict topic hierarchy to 200 levels to prevent
possible stack overflow.
Broker :
- Restrict topic hierarchy to 200 levels to prevent
possible stack overflow.
- mosquitto_passwd now returns 1 when attempting to update
a user that does not exist.
1.6.5 =====
Broker :
- Fix v5 DISCONNECT packets with remaining length == 2
being treated as a protocol error.
- Fix support for libwebsockets 3.x.
- Fix slow websockets performance when sending large
messages.
- Fix bridges potentially not connecting on Windows.
- Fix clients authorised using `use_identity_as_username`
or `use_subject_as_username` being disconnected on
SIGHUP.
- Improve error messages in some situations when clients
disconnect. Reduces the number of 'Socket error on
client X, disconnecting' messages.
- Fix Will for v5 clients not being sent if will delay
interval was greater than the session expiry interval.
- Fix CRL file not being reloaded on HUP.
- Fix repeated 'Error in poll' messages on Windows when
only websockets listeners are defined.
Client library :
- Fix reconnect backoff for the situation where
connections are dropped rather than refused.
- Fix missing locks on `mosq->state`.
Documentation :
- Improve details on global/per listener options in the
mosquitto.conf man page.
- Clarify behaviour when clients exceed the
`message_size_limit`.
- Improve documentation for `max_inflight_bytes`,
`max_inflight_messages`, and `max_queued_messages`.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-8b83c261dd");
script_set_attribute(attribute:"solution", value:
"Update the affected mosquitto package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11779");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/19");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mosquitto");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC30", reference:"mosquitto-1.6.7-1.fc30")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mosquitto");
}
Vendor | Product | Version | CPE |
---|---|---|---|
fedoraproject | fedora | mosquitto | p-cpe:/a:fedoraproject:fedora:mosquitto |
fedoraproject | fedora | 30 | cpe:/o:fedoraproject:fedora:30 |