Mosquitto pattern ACLs can be circumvented with special client ids or usernames
Bug #1692818 reported by
Roger Light
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mosquitto (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This issue will be disclosed as CVE-2017-7650.
It affects all versions currently packaged in Ubuntu. A fix is currently being tested and will be released as part of version 1.4.12 and as patches for earlier versions.
Could you please offer advice on how to deal with the packages in current versions of Ubuntu? Is that something I need to deal with or can the security team help?
CVE References
Changed in mosquitto (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
To post a comment you must log in.
Hello Roger, thanks for contacting us; because mosquitto is in universe it is community-supported -- anyone can provide us with debdiffs and we'll sponsor them into the archive.
You can find some more information about the process on https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res and https:/ /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion .
Thanks