mosquitto: Update to 1.5.6

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: mosquitto: Update to 1.5.6
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 12 Feb 2019 01:06:13 +0000

Module Name:	pkgsrc-wip
Committed By:	Greg Troxel <gdt%lexort.com@localhost>
Pushed By:	gdt
Date:		Mon Feb 11 20:06:13 2019 -0500
Changeset:	3540d667ae9355bee2febf5d6b9906ecf94d21e9

Modified Files:
	mosquitto/Makefile
	mosquitto/distinfo

Log Message:
mosquitto: Update to 1.5.6

1.5.6 - 20190206
================

Security:
- CVE-2018-12551: If Mosquitto is configured to use a password file for
  authentication, any malformed data in the password file will be treated as
  valid. This typically means that the malformed data becomes a username and no
  password. If this occurs, clients can circumvent authentication and get access
  to the broker by using the malformed username. In particular, a blank line
  will be treated as a valid empty username. Other security measures are
  unaffected. Users who have only used the mosquitto_passwd utility to create
  and modify their password files are unaffected by this vulnerability.
  Affects version 1.0 to 1.5.5 inclusive.
- CVE-2018-12550: If an ACL file is empty, or has only blank lines or
  comments, then mosquitto treats the ACL file as not being defined, which
  means that no topic access is denied. Although denying access to all topics
  is not a useful configuration, this behaviour is unexpected and could lead
  to access being incorrectly granted in some circumstances. This is now
  fixed. Affects versions 1.0 to 1.5.5 inclusive.
- CVE-2018-12546. If a client publishes a retained message to a topic that
  they have access to, and then their access to that topic is revoked, the
  retained message will still be delivered to future subscribers. This
  behaviour may be undesirable in some applications, so a configuration option
  `check_retain_source` has been introduced to enforce checking of the
  retained message source on publish.

Broker:
- Fixed comment handling for config options that have optional arguments.
- Improved documentation around bridge topic remapping.
- Handle mismatched handshakes (e.g. QoS1 PUBLISH with QoS2 reply) properly.
- Fix spaces not being allowed in the bridge remote_username option. Closes
  #1131.
- Allow broker to always restart on Windows when using `log_dest file`. Closes
  #1080.
- Fix Will not being sent for Websockets clients. Closes #1143.
- Windows: Fix possible crash when client disconnects. Closes #1137.
- Fixed durable clients being unable to receive messages when offline, when
  per_listener_settings was set to true. Closes #1081.
- Add log message for the case where a client is disconnected for sending a
  topic with invalid UTF-8. Closes #1144.

Library:
- Fix TLS connections not working over SOCKS.
- Don't clear SSL context when TLS connection is closed, meaning if a user
  provided an external SSL_CTX they have less chance of leaking references.

Build:
- Fix comparison of boolean values in CMake build. Closes #1101.
- Fix compilation when openssl deprecated APIs are not available.
  Closes #1094.
- Man pages can now be built on any system. Closes #1139.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=3540d667ae9355bee2febf5d6b9906ecf94d21e9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 mosquitto/Makefile | 2 +-
 mosquitto/distinfo | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diffs:
diff --git a/mosquitto/Makefile b/mosquitto/Makefile
index f5fb4b5365..b109cfcc07 100644
--- a/mosquitto/Makefile
+++ b/mosquitto/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
 
-VERSION=	1.5.5
+VERSION=	1.5.6
 DISTNAME=	mosquitto-${VERSION}
 CATEGORIES=	net
 MASTER_SITES=	https://mosquitto.org/files/source/
diff --git a/mosquitto/distinfo b/mosquitto/distinfo
index 565c516b30..4737a61e67 100644
--- a/mosquitto/distinfo
+++ b/mosquitto/distinfo
@@ -1,9 +1,9 @@
 $NetBSD$
 
-SHA1 (mosquitto-1.5.5.tar.gz) = 1034e120b85b280d2d82b1ad42b280802999ee1e
-RMD160 (mosquitto-1.5.5.tar.gz) = 7c04ab09553a3514c0ff6411ba289ed3a971c757
-SHA512 (mosquitto-1.5.5.tar.gz) = 4984a8c3a48450ae87dfca9ea825433332c22a5c1b214b7c6d134789675431ba1bcebaceea2fe32c5d32c91ec47b9ded7b61c0c2caf6551f10e4f8dc455a5351
-Size (mosquitto-1.5.5.tar.gz) = 431998 bytes
+SHA1 (mosquitto-1.5.6.tar.gz) = df99f3b9d5afcb1f13f622e07b4b9f516c26689a
+RMD160 (mosquitto-1.5.6.tar.gz) = c4ddcd7388e5a19410421a2149292f3eb130b40e
+SHA512 (mosquitto-1.5.6.tar.gz) = 99bd935f93ae25f0c7992870780cce4748b35ffd58fd0d39e20ee69f34c28d3eac289cf0c7dec078dbdced3bda12da4569d4b5e84ebdaa5514640f331ca3238b
+Size (mosquitto-1.5.6.tar.gz) = 439402 bytes
 SHA1 (patch-CMakeLists.txt) = 34891235466aca2becd6072183298b8949a0a356
 SHA1 (patch-lib_CMakeLists.txt) = 9ab510e09f5099e595129b8bacf1a348b0868271
 SHA1 (patch-mosquitto.conf) = faa7e77c30a58105bd678d510f1f545345f6ce0b

Prev by Date: Update to gitea 1.7.1
Next by Date: mosquitto: Remove references to CVEs fixed in 1.5.6
Previous by Thread: Update to gitea 1.7.1
Next by Thread: mosquitto: Remove references to CVEs fixed in 1.5.6
Indexes:

Home | Main Index | Thread Index | Old Index