Reloading mosquitto configuration when sockets are exhausted leads to default security options

Bug #1752124 reported by Roger Light on 2018-02-27
This bug report is a duplicate of:  Bug #1752591: CVE-2017-7651 and CVE-2017-7652. Edit Remove
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mosquitto (Ubuntu)
Undecided
Unassigned

Bug Description

If mosquitto has used all of the available sockets/file descriptors and a SIGHUP signal is received to reload the configuration, then the reloading will fail and default options will apply for most of the configuration. This means that security options may be removed.

This bug affects all versions of mosquitto from 1.0 to 1.4.14 inclusive. It is fixed in version 1.4.15.

This has been registered as CVE-2017-7652.

Patches for current versions of mosquitto will be available at https://mosquitto.org/files/cve/2017-7652/

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers