mosquitto (1.3.4-2+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team. 
  * CVE-2019-11779
    Fix for processing a crafted SUBSCRIBE packet containing a topic
    that consists of approximately 65400 or more '/' characters.
    (setting TOPIC_HIERARCHY_LIMIT to 200)
  * CVE-2018-12550
    An ACL file with no statements was treated as having a default
    allow policy. The new behaviour of an empty ACL file is a default
    policy of access denied.
    (this is in compliance with all newer releases)
  * CVE-2018-12551
    Malformed authentication data in the password file could allow
    clients to circumvent authentication and get access to the broker.
  * CVE-2017-7655
    A Null dereference vulnerability in the Mosquitto library could
    lead to crashes for those applications using the library.

 -- Thorsten Alteholz <debian@alteholz.de>  Thu, 24 Oct 2019 19:03:02 +0200

mosquitto (1.3.4-2+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team. 
  * fix for CVE-2017-9868
  * fix for CVE-2017-7654
  * fix for CVE-2017-7653

 -- Thorsten Alteholz <debian@alteholz.de>  Fri, 28 Sep 2018 19:03:02 +0200

mosquitto (1.3.4-2+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team. 
  * CVE-2017-7651
    fix to avoid extraordinary memory consumption by crafted 
    CONNECT packet from unauthenticated client
  * CVE-2017-7652
    in case all sockets/file descriptors are exhausted, this is a 
    fix to avoid default config values after reloading configuration
    by SIGHUP signal

 -- Thorsten Alteholz <debian@alteholz.de>  Fri, 29 Jun 2018 19:03:02 +0200

mosquitto (1.3.4-2+deb8u1) jessie-security; urgency=high

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#'.
    - debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650

 -- Roger A. Light <roger@atchoo.org>  Tue, 23 May 2017 22:14:40 +0100

mosquitto (1.3.4-2) unstable; urgency=low

  * Disable bad "fake ca" test.

 -- Roger A. Light <roger@atchoo.org>  Sat, 16 Aug 2014 10:52:12 +0100

mosquitto (1.3.4-1) unstable; urgency=medium

  * New upstream release: http://mosquitto.org/2014/08/version-1-3-4-released/
   (closes: #725014, #754787)
  * Add dependency on libuuid, c-ares.
  * Bumped standards version to 3.9.5. No changes needed.
  * Example config files are now installed to
    /usr/share/doc/mosquitto/examples/
  * debian/copyright year updated.
  * compiling.txt is no longer distributed.
  * Updated debian/copyright with new dates.

 -- Roger A. Light <roger@atchoo.org>  Wed, 06 Aug 2014 00:43:39 +0100

mosquitto (1.2.1-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2013/09/version-1-2-1-released/
  * Add Replaces/Break for libmosquitto-dev and libmosquittopp-dev
    (closes: #720637, #720638).

 -- Roger A. Light <roger@atchoo.org>  Wed, 18 Sep 2013 21:36:01 +0100

mosquitto (1.2-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2013/08/version-1-2-released/
    (closes: #685119).
  * Bumped standards release to 3.9.4. No changes needed.
  * Added mosquitto-dbg package for binary debug information.
  * Added python3-mosquitto binary package.
  * Use dh_python2 (and dh_python3) instead of python-support.
  * mosquitto now logs to /var/log/mosquitto/ using logrotate.
  * mosquitto local config should now be placed in /etc/mosquitto/conf.d/

 -- Roger A. Light <roger@atchoo.org>  Wed, 07 Aug 2013 23:26:19 +0100

mosquitto (0.15-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2012/02/version-0-15-released/
  * Updated debian/copyright to latest DEP-5.
  * Removed now unnecessary man-hyphen-minus.patch.

 -- Roger A. Light <roger@atchoo.org>  Sun, 05 Feb 2012 09:30:22 +0000

mosquitto (0.12-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2011/07/version-0-12-released/

 -- Roger A. Light <roger@atchoo.org>  Mon, 25 Jul 2011 22:24:52 +0100

mosquitto (0.11.3-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2011/07/version-0-11-3-released/
  * Fix init script start action to create pidfile so stop works correctly.
    (thanks to Mark Hindess, closes: #632589)
  * Fix section for client libraries in debian/control.
  * Remove disable-cmake.patch, this is handled in debian/rules now.

 -- Roger A. Light <roger@atchoo.org>  Wed, 6 July 2011 15:07:04 +0100

mosquitto (0.10-1) unstable; urgency=low

  * Initial release. (Closes: #605319)

 -- Roger A. Light <roger@atchoo.org>  Sun, 1 May 2011 20:12:51 +0100
