Date: Sat, 24 Jul 2021 21:14:55 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e220d6ed93a7 - main - net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference Message-ID: <202107242114.16OLEtQx064519@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=e220d6ed93a7e736c1972c8a864737641d818067 commit e220d6ed93a7e736c1972c8a864737641d818067 Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2021-07-24 21:14:01 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2021-07-24 21:14:01 +0000 net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt This release fixes a DoS vulnerability: - If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. Other changes since 2.0.8: - Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub and mosquitto_rr, to avoid potentially lost messages. - Fix TLS-PSK mode not working with port 8883. - Fix possible socket leak. This would occur if a client was using `mosquitto_loop_start()`, then if the connection failed due to the remote server being inaccessible they called `mosquitto_loop_stop(, true)` and recreated the mosquitto object. - If an empty or invalid CA file was provided to the client library for verifying the remote broker, then the initial connection would fail but subsequent connections would succeed without verifying the remote broker certificate. - If an empty or invalid CA file was provided to the broker for verifying the remote broker for an outgoing bridge connection then the initial connection would fail but subsequent connections would succeed without verifying the remote broker certificate. - Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` is empty or invalid. - Fix `tls_version` behaviour not matching documentation. - Fix messages to `$` prefixed topics being rejected. - Fix QoS 0 messages not being delivered when max_queued_bytes was configured. - Fix bridge increasing backoff calculation. - Improve handling of invalid combinations of listener address and bind interface configurations. - Fix `max_keepalive` option not applying to clients connecting with keepalive - Fix encrypted connections incorrectly connecting when the CA file passed to `mosquitto_tls_set()` is empty or invalid. set to 0. PR: 255229 Reported by: Daniel Engberg Approved by: joe@thrallingpenguin.com (maintainer) MFH: 2021Q3 Security: cc553d79-e1f0-4b94-89f2-bacad42ee826 --- net/mosquitto/Makefile | 4 ++-- net/mosquitto/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/net/mosquitto/Makefile b/net/mosquitto/Makefile index 3aeb8c355b46..740405a39144 100644 --- a/net/mosquitto/Makefile +++ b/net/mosquitto/Makefile @@ -1,9 +1,9 @@ # Created by: Joseph Benden <joe@thrallingpenguin.com> PORTNAME= mosquitto -PORTVERSION= 2.0.8 +PORTVERSION= 2.0.10 CATEGORIES= net -MASTER_SITES= http://mosquitto.org/files/source/ +MASTER_SITES= https://mosquitto.org/files/source/ MAINTAINER= joe@thrallingpenguin.com COMMENT= Open source MQTT broker diff --git a/net/mosquitto/distinfo b/net/mosquitto/distinfo index 3a80f21e8a5f..fec3d35813f8 100644 --- a/net/mosquitto/distinfo +++ b/net/mosquitto/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1615114358 -SHA256 (mosquitto-2.0.8.tar.gz) = b15da8fc4edcb91d554e1259e220ea0173ef639ceaa4b465e06feb7e125b84bf -SIZE (mosquitto-2.0.8.tar.gz) = 756636 +TIMESTAMP = 1627146562 +SHA256 (mosquitto-2.0.10.tar.gz) = 0188f7b21b91d6d80e992b8d6116ba851468b3bd154030e8a003ed28fb6f4a44 +SIZE (mosquitto-2.0.10.tar.gz) = 759106
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107242114.16OLEtQx064519>