diff -Nru mosquitto-1.4.8/debian/changelog mosquitto-1.4.8/debian/changelog
--- mosquitto-1.4.8/debian/changelog	2016-02-19 12:03:16.000000000 +0100
+++ mosquitto-1.4.8/debian/changelog	2017-05-30 11:26:09.000000000 +0200
@@ -1,3 +1,14 @@
+mosquitto (1.4.8-1ubuntu1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
+    set to '+' or '#'.
+    - debian/patches/mosquitto-1.4.10_cve-2017-7650.patch: Reject send/receive
+      of messages to/from clients with a '+', '#' or '/' in their
+      username/client id.
+    - CVE-2017-7650
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 30 May 2017 11:25:15 +0200
+
 mosquitto (1.4.8-1build1) xenial; urgency=medium
 
   * Rebuild against libwebsockets7.
diff -Nru mosquitto-1.4.8/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch mosquitto-1.4.8/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch
--- mosquitto-1.4.8/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch	1970-01-01 01:00:00.000000000 +0100
+++ mosquitto-1.4.8/debian/patches/mosquitto-1.4.10_cve-2017-7650.patch	2017-05-30 11:26:40.000000000 +0200
@@ -0,0 +1,61 @@
+Description: Fix for CVE-207-7650.
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2017-7650/mosquitto-1.4.x_cve-2017-7650.patch
+diff --git a/src/security.c b/src/security.c
+index 6ae9fb9..37ce32b 100644
+--- src/security.c
++++ b/src/security.c
+@@ -233,6 +233,21 @@
+ 		{
+ 			username = context->username;
+ 		}
++
++		/* Check whether the client id or username contains a +, # or / and if
++		 * so deny access.
++		 *
++		 * Do this check for every message regardless, we have to protect the
++		 * plugins against possible pattern based attacks.
++		 */
++		if(username && strpbrk(username, "+#/")){
++			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", username);
++			return MOSQ_ERR_ACL_DENIED;
++		}
++		if(context->id && strpbrk(context->id, "+#/")){
++			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
++			return MOSQ_ERR_ACL_DENIED;
++		}
+ 		return db->auth_plugin.acl_check(db->auth_plugin.user_data, context->id, username, topic, access);
+ 	}
+ }
+diff --git a/src/security_default.c b/src/security_default.c
+index 64ca846..a41c21f 100644
+--- src/security_default.c
++++ b/src/security_default.c
+@@ -261,6 +261,26 @@ int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *conte
+ 	}
+ 
+ 	acl_root = db->acl_patterns;
++
++	if(acl_root){
++		/* We are using pattern based acls. Check whether the username or
++		 * client id contains a +, # or / and if so deny access.
++		 *
++		 * Without this, a malicious client may configure its username/client
++		 * id to bypass ACL checks (or have a username/client id that cannot
++		 * publish or receive messages to its own place in the hierarchy).
++		 */
++		if(context->username && strpbrk(context->username, "+#/")){
++			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous username \"%s\"", context->username);
++			return MOSQ_ERR_ACL_DENIED;
++		}
++
++		if(context->id && strpbrk(context->id, "+#/")){
++			_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "ACL denying access to client with dangerous client id \"%s\"", context->id);
++			return MOSQ_ERR_ACL_DENIED;
++		}
++	}
++
+ 	/* Loop through all pattern ACLs. */
+ 	clen = strlen(context->id);
+ 	while(acl_root){
diff -Nru mosquitto-1.4.8/debian/patches/series mosquitto-1.4.8/debian/patches/series
--- mosquitto-1.4.8/debian/patches/series	2016-02-14 16:06:49.000000000 +0100
+++ mosquitto-1.4.8/debian/patches/series	2017-05-30 11:26:50.000000000 +0200
@@ -5,3 +5,4 @@
 enable-websockets.patch
 libdir.patch
 build-timestamp.patch
+mosquitto-1.4.10_cve-2017-7650.patch