ASA-201707-16 generated external raw

[ASA-201707-16] mosquitto: information disclosure
Arch Linux Security Advisory ASA-201707-16 ========================================== Severity: Medium Date : 2017-07-16 CVE-ID : CVE-2017-9868 Package : mosquitto Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-353 Summary ======= The package mosquitto before version 1.4.14-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.4.14-1. # pacman -Syu "mosquitto>=1.4.14-1" The problem has been fixed upstream in version 1.4.14. Workaround ========== None. Description =========== In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. Impact ====== A local attacker could access sensitive information by reading the mosquitto.db. References ========== https://mosquitto.org/2017/06/security-advisory-cve-2017-9868/ https://security.archlinux.org/CVE-2017-9868