mosquitto (1.4.10-3+deb9u5) stretch-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Don't derefence a null message. CVE-2017-7655

 -- Anton Gladky <gladk@debian.org>  Tue, 26 Oct 2021 22:24:15 +0200

mosquitto (1.4.10-3+deb9u4) stretch-security; urgency=high

  * Fix potential crash when reloading persistence file. (closes: #922071).

 -- Roger A. Light <roger@atchoo.org>  Wed, 13 Feb 2019 00:45:38 +0000

mosquitto (1.4.10-3+deb9u3) stretch-security; urgency=high

  * SECURITY UPDATE: If Mosquitto is configured to use a password file for
    authentication, any malformed data in the password file will be treated as
    valid. This typically means that the malformed data becomes a username and
    no password. If this occurs, clients can circumvent authentication and get
    access to the broker by using the malformed username. In particular, a blank
    line will be treated as a valid empty username. Other security measures are
    unaffected. Users who have only used the mosquitto_passwd utility to create
    and modify their password files are unaffected by this vulnerability.
    - debian/patches/mosquitto-1.4.x-cve-2018-12551.patch: this fix introduces
      more stringent parsing tests on the password file data.
    - CVE-2018-12551
  * SECURITY UPDATE: If an ACL file is empty, or has only blank lines or
    comments, then mosquitto treats the ACL file as not being defined, which
    means that no topic access is denied. Although denying access to all
    topics is not a useful configuration, this behaviour is unexpected and
    could lead to access being incorrectly granted in some circumstances.
    - debian/patches/mosquitto-1.4.x-cve-2018-12550.patch: this fix ensures
      that if an ACL file is defined but no rules are defined, then access will
      be denied.
    - CVE-2018-12550
  * SECURITY UPDATE: If a client publishes a retained message to a topic that
    they have access to, and then their access to that topic is revoked, the
    retained message will still be delivered to future subscribers. This
    behaviour may be undesirable in some applications, so a configuration
    option `check_retain_source` has been introduced to enforce checking of
    the retained message source on publish.
    - debian/patches/mosquitto-1.4.9-1.4.14-cve-2018-12546.patch: this patch stores
      the originator of the retained message, so security checking can be
      carried out before re-publishing. The complexity of the patch is due to
      the need to save this information across broker restarts.
    - CVE-2018-12546

 -- Roger A. Light <roger@atchoo.org>  Wed, 06 Feb 2019 17:03:31 +0000

mosquitto (1.4.10-3+deb9u2) stretch-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * fix for CVE-2017-7654
  * fix for CVE-2017-7653
  * fix for CVE-2017-7652
  * fix for CVE-2017-7651

 -- Thorsten Alteholz <debian@alteholz.de>  Wed, 17 Oct 2018 19:03:03 +0200

mosquitto (1.4.10-3+deb9u1) stretch; urgency=medium

  * SECURITY UPDATE: Mosquitto persistence file is world readable.
    - debian/patches/mosquitto-1.4.x_cve-2017-9868.patch: Set umask to limit
      read permissions.
    - CVE-2017-9868

 -- Roger A. Light <roger@atchoo.org>  Fri, 22 Dec 2017 08:19:25 +0000

mosquitto (1.4.10-3) unstable; urgency=high

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
    set to '+' or '#'.
    - debian/patches/mosquitto-0.15_cve-2017-7650.patch: Reject send/receive
      of messages to/from clients with a '+', '#' or '/' in their
      username/client id.
    - CVE-2017-7650
  * New patch debian/patches/allow_ipv6_bridges.patch allows bridges to make
    IPv6 connections when using TLS (closes: #857759).

 -- Roger A. Light <roger@atchoo.org>  Mon, 29 May 2017 13:43:29 +0100

mosquitto (1.4.10-2) unstable; urgency=medium

  * Bumped standards version to 3.9.8. No changes needed.
  * Bumped dh compat level to 10.
  * Vcs-* links updated.

 -- Roger A. Light <roger@atchoo.org>  Thu, 03 Nov 2016 22:37:33 +0000

mosquitto (1.4.10-1) unstable; urgency=low

  * New upstream release.
  * Add support for openssl 1.1.0 (closes: #828442)
  * Fix FTBFS on Hurd (closes: #824571)

 -- Roger A. Light <roger@atchoo.org>  Thu, 27 Oct 2016 14:01:40 +0100

mosquitto (1.4.8-1) unstable; urgency=high

  * New upstream release.
  * apparmor is now "suggests" instead of "depends".

 -- Roger A. Light <roger@atchoo.org>  Sun, 14 Feb 2016 15:06:55 +0000

mosquitto (1.4.7-1) unstable; urgency=low

  * New upstream release. Includes support for libwebsockets 1.6.
  * Add dependency link between libmosquittopp-dev and libmosquitto-dev
    (closes: #805506).
  * Dropped misc:Pre-Depends line for libmosquitto1. See #783898.
  * libc-ares2 Depends is handled by shlib:Depends for libmosquitto1.

 -- Roger A. Light <roger@atchoo.org>  Mon, 21 Dec 2015 10:59:31 +0000

mosquitto (1.4.4-1) unstable; urgency=low

  * New upstream release.
  * Fix Vcs link.
  * Note that libs & clients also support MQTT v3.1.1.

 -- Roger A. Light <roger@atchoo.org>  Mon, 21 Sep 2015 09:56:28 +0100

mosquitto (1.4.3-1) unstable; urgency=low

  * New upstream release.
  * New binary package mosquitto-dev.
  * python3-mosquitto and python-mosquitto packages removed because the python
    module is no longer part of upstream.
  * Remove unused patches (pynomake.patch and disable-bad-test.patch)
  * Added dependency on libwebsockets3, uuid. Note that the source package
    will build (and actually prefers) using libwebsockets4 when it becomes
    available. This adds the patch enable-websockets.patch.
  * Upstream license has changed from BSD-3 to EPL-1.0 or EDL-1.0.
  * Fix log directory permissions.
  * Port to multiarch (closes: #763385) - adds libdir.patch
  * Symbols update
  * Patch refresh
  * Add build-timestamp.patch to create reproducable builds.
  * Add support for apparmor.

 -- Roger A. Light <roger@atchoo.org>  Wed, 19 Aug 2015 10:31:10 +0100

mosquitto (1.3.4-2) unstable; urgency=low

  * Disable bad "fake ca" test.

 -- Roger A. Light <roger@atchoo.org>  Sat, 16 Aug 2014 10:52:12 +0100

mosquitto (1.3.4-1) unstable; urgency=medium

  * New upstream release: http://mosquitto.org/2014/08/version-1-3-4-released/
   (closes: #725014, #754787)
  * Add dependency on libuuid, c-ares.
  * Bumped standards version to 3.9.5. No changes needed.
  * Example config files are now installed to
    /usr/share/doc/mosquitto/examples/
  * debian/copyright year updated.
  * compiling.txt is no longer distributed.
  * Updated debian/copyright with new dates.

 -- Roger A. Light <roger@atchoo.org>  Wed, 06 Aug 2014 00:43:39 +0100

mosquitto (1.2.1-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2013/09/version-1-2-1-released/
  * Add Replaces/Break for libmosquitto-dev and libmosquittopp-dev
    (closes: #720637, #720638).

 -- Roger A. Light <roger@atchoo.org>  Wed, 18 Sep 2013 21:36:01 +0100

mosquitto (1.2-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2013/08/version-1-2-released/
    (closes: #685119).
  * Bumped standards release to 3.9.4. No changes needed.
  * Added mosquitto-dbg package for binary debug information.
  * Added python3-mosquitto binary package.
  * Use dh_python2 (and dh_python3) instead of python-support.
  * mosquitto now logs to /var/log/mosquitto/ using logrotate.
  * mosquitto local config should now be placed in /etc/mosquitto/conf.d/

 -- Roger A. Light <roger@atchoo.org>  Wed, 07 Aug 2013 23:26:19 +0100

mosquitto (0.15-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2012/02/version-0-15-released/
  * Updated debian/copyright to latest DEP-5.
  * Removed now unnecessary man-hyphen-minus.patch.

 -- Roger A. Light <roger@atchoo.org>  Sun, 05 Feb 2012 09:30:22 +0000

mosquitto (0.12-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2011/07/version-0-12-released/

 -- Roger A. Light <roger@atchoo.org>  Mon, 25 Jul 2011 22:24:52 +0100

mosquitto (0.11.3-1) unstable; urgency=low

  * New upstream release: http://mosquitto.org/2011/07/version-0-11-3-released/
  * Fix init script start action to create pidfile so stop works correctly.
    (thanks to Mark Hindess, closes: #632589)
  * Fix section for client libraries in debian/control.
  * Remove disable-cmake.patch, this is handled in debian/rules now.

 -- Roger A. Light <roger@atchoo.org>  Wed, 6 July 2011 15:07:04 +0100

mosquitto (0.10-1) unstable; urgency=low

  * Initial release. (Closes: #605319)

 -- Roger A. Light <roger@atchoo.org>  Sun, 1 May 2011 20:12:51 +0100
