1eef58684c
This is a security and bug fix release. Security: - CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands. - CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. - CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. - Broker will now reject Will messages that attempt to publish to $CONTROL/. - Broker now validates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8. - Fix potential crash when loading invalid persistence file. - Library will no longer allow single level wildcard certificates, e.g. *.com Bugfixes of note or relevance to OpenWrt: - Fix bridges with non-matching cleansession/local_cleansession being expired on start after restoring from persistence. Closes #2634. Client library: - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the problem of the client OS sleeping and the client hence not being able to calculate the actual time for keepalive purposes. Closes #2760. Full changelog available at: https://github.com/eclipse/mosquitto/blob/v2.0.16/ChangeLog.txt plus: https://github.com/eclipse/mosquitto/blob/v2.0.17/ChangeLog.txt (2.0.17 fixes regressions from the 2.0.16 release) Signed-off-by: Karl Palsson <karlp@tweak.au> |
||
|---|---|---|
| .. | ||
| files/etc | ||
| Config.in | ||
| Makefile | ||