From owner-dev-commits-ports-all@freebsd.org Sat Jul 24 21:14:56 2021 Return-Path: Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 45267669527; Sat, 24 Jul 2021 21:14:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GXJqN1GVmz3wHl; Sat, 24 Jul 2021 21:14:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 10A2817A9B; Sat, 24 Jul 2021 21:14:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 16OLEtuU064520; Sat, 24 Jul 2021 21:14:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 16OLEtQx064519; Sat, 24 Jul 2021 21:14:55 GMT (envelope-from git) Date: Sat, 24 Jul 2021 21:14:55 GMT Message-Id: <202107242114.16OLEtQx064519@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Craig Leres Subject: git: e220d6ed93a7 - main - net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: leres X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e220d6ed93a7e736c1972c8a864737641d818067 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jul 2021 21:14:56 -0000 The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=e220d6ed93a7e736c1972c8a864737641d818067 commit e220d6ed93a7e736c1972c8a864737641d818067 Author: Craig Leres AuthorDate: 2021-07-24 21:14:01 +0000 Commit: Craig Leres CommitDate: 2021-07-24 21:14:01 +0000 net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt This release fixes a DoS vulnerability: - If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. Other changes since 2.0.8: - Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub and mosquitto_rr, to avoid potentially lost messages. - Fix TLS-PSK mode not working with port 8883. - Fix possible socket leak. This would occur if a client was using `mosquitto_loop_start()`, then if the connection failed due to the remote server being inaccessible they called `mosquitto_loop_stop(, true)` and recreated the mosquitto object. - If an empty or invalid CA file was provided to the client library for verifying the remote broker, then the initial connection would fail but subsequent connections would succeed without verifying the remote broker certificate. - If an empty or invalid CA file was provided to the broker for verifying the remote broker for an outgoing bridge connection then the initial connection would fail but subsequent connections would succeed without verifying the remote broker certificate. - Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` is empty or invalid. - Fix `tls_version` behaviour not matching documentation. - Fix messages to `$` prefixed topics being rejected. - Fix QoS 0 messages not being delivered when max_queued_bytes was configured. - Fix bridge increasing backoff calculation. - Improve handling of invalid combinations of listener address and bind interface configurations. - Fix `max_keepalive` option not applying to clients connecting with keepalive - Fix encrypted connections incorrectly connecting when the CA file passed to `mosquitto_tls_set()` is empty or invalid. set to 0. PR: 255229 Reported by: Daniel Engberg Approved by: joe@thrallingpenguin.com (maintainer) MFH: 2021Q3 Security: cc553d79-e1f0-4b94-89f2-bacad42ee826 --- net/mosquitto/Makefile | 4 ++-- net/mosquitto/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/net/mosquitto/Makefile b/net/mosquitto/Makefile index 3aeb8c355b46..740405a39144 100644 --- a/net/mosquitto/Makefile +++ b/net/mosquitto/Makefile @@ -1,9 +1,9 @@ # Created by: Joseph Benden PORTNAME= mosquitto -PORTVERSION= 2.0.8 +PORTVERSION= 2.0.10 CATEGORIES= net -MASTER_SITES= http://mosquitto.org/files/source/ +MASTER_SITES= https://mosquitto.org/files/source/ MAINTAINER= joe@thrallingpenguin.com COMMENT= Open source MQTT broker diff --git a/net/mosquitto/distinfo b/net/mosquitto/distinfo index 3a80f21e8a5f..fec3d35813f8 100644 --- a/net/mosquitto/distinfo +++ b/net/mosquitto/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1615114358 -SHA256 (mosquitto-2.0.8.tar.gz) = b15da8fc4edcb91d554e1259e220ea0173ef639ceaa4b465e06feb7e125b84bf -SIZE (mosquitto-2.0.8.tar.gz) = 756636 +TIMESTAMP = 1627146562 +SHA256 (mosquitto-2.0.10.tar.gz) = 0188f7b21b91d6d80e992b8d6116ba851468b3bd154030e8a003ed28fb6f4a44 +SIZE (mosquitto-2.0.10.tar.gz) = 759106