Mosquitto is vulnerable to potentially insecure configuration issues. The vulnerability is caused by a SIGHUP
signal when no additional file descriptors can be allocated by the broker when opening the configuration file. This causes the default configuration values to be reloaded, which can potentially strip off the intended security options.
bugs.eclipse.org/bugs/show_bug.cgi?id=530102
github.com/eclipse/mosquitto/commit/b76982db13a874895a6afd1e99c2d6203eee909c
lists.debian.org/debian-lts-announce/2018/03/msg00037.html
lists.debian.org/debian-lts-announce/2018/06/msg00016.html
mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
www.debian.org/security/2018/dsa-4325