git: e220d6ed93a7 - main - net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference
Craig Leres
leres at FreeBSD.org
Sat Jul 24 21:14:56 UTC 2021
The branch main has been updated by leres:
URL: https://cgit.FreeBSD.org/ports/commit/?id=e220d6ed93a7e736c1972c8a864737641d818067
commit e220d6ed93a7e736c1972c8a864737641d818067
Author: Craig Leres <leres at FreeBSD.org>
AuthorDate: 2021-07-24 21:14:01 +0000
Commit: Craig Leres <leres at FreeBSD.org>
CommitDate: 2021-07-24 21:14:01 +0000
net/mosquitto: Update to 2.0.10 and solve NULL pointer dereference
https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt
This release fixes a DoS vulnerability:
- If an authenticated client connected with MQTT v5 sent a malformed
CONNACK message to the broker a NULL pointer dereference occurred,
most likely resulting in a segfault.
Other changes since 2.0.8:
- Set `receive-maximum` to not exceed the `-C` message count in
mosquitto_sub and mosquitto_rr, to avoid potentially lost messages.
- Fix TLS-PSK mode not working with port 8883.
- Fix possible socket leak. This would occur if a client was using
`mosquitto_loop_start()`, then if the connection failed due to
the remote server being inaccessible they called `mosquitto_loop_stop(,
true)` and recreated the mosquitto object.
- If an empty or invalid CA file was provided to the client library
for verifying the remote broker, then the initial connection
would fail but subsequent connections would succeed without
verifying the remote broker certificate.
- If an empty or invalid CA file was provided to the broker for
verifying the remote broker for an outgoing bridge connection
then the initial connection would fail but subsequent connections
would succeed without verifying the remote broker certificate.
- Fix encrypted bridge connections incorrectly connecting when
`bridge_cafile` is empty or invalid.
- Fix `tls_version` behaviour not matching documentation.
- Fix messages to `$` prefixed topics being rejected.
- Fix QoS 0 messages not being delivered when max_queued_bytes was
configured.
- Fix bridge increasing backoff calculation.
- Improve handling of invalid combinations of listener address and
bind interface configurations.
- Fix `max_keepalive` option not applying to clients connecting
with keepalive
- Fix encrypted connections incorrectly connecting when the CA
file passed to `mosquitto_tls_set()` is empty or invalid. set
to 0.
PR: 255229
Reported by: Daniel Engberg
Approved by: joe at thrallingpenguin.com (maintainer)
MFH: 2021Q3
Security: cc553d79-e1f0-4b94-89f2-bacad42ee826
---
net/mosquitto/Makefile | 4 ++--
net/mosquitto/distinfo | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/mosquitto/Makefile b/net/mosquitto/Makefile
index 3aeb8c355b46..740405a39144 100644
--- a/net/mosquitto/Makefile
+++ b/net/mosquitto/Makefile
@@ -1,9 +1,9 @@
# Created by: Joseph Benden <joe at thrallingpenguin.com>
PORTNAME= mosquitto
-PORTVERSION= 2.0.8
+PORTVERSION= 2.0.10
CATEGORIES= net
-MASTER_SITES= http://mosquitto.org/files/source/
+MASTER_SITES= https://mosquitto.org/files/source/
MAINTAINER= joe at thrallingpenguin.com
COMMENT= Open source MQTT broker
diff --git a/net/mosquitto/distinfo b/net/mosquitto/distinfo
index 3a80f21e8a5f..fec3d35813f8 100644
--- a/net/mosquitto/distinfo
+++ b/net/mosquitto/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1615114358
-SHA256 (mosquitto-2.0.8.tar.gz) = b15da8fc4edcb91d554e1259e220ea0173ef639ceaa4b465e06feb7e125b84bf
-SIZE (mosquitto-2.0.8.tar.gz) = 756636
+TIMESTAMP = 1627146562
+SHA256 (mosquitto-2.0.10.tar.gz) = 0188f7b21b91d6d80e992b8d6116ba851468b3bd154030e8a003ed28fb6f4a44
+SIZE (mosquitto-2.0.10.tar.gz) = 759106
More information about the dev-commits-ports-all
mailing list