mosquitto
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | An Open Source MQTT v3.1/v3.1.1 Broker |
| Version | 1.6.9-1 [community] |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-772 | 1.5.1-1 | 1.5.3-1 | Medium | Fixed | |
| AVG-353 | 1.4.12-1 | 1.4.14-1 | Medium | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2018-12543 | AVG-772 | Medium | Yes | Denial of service | If a message is sent to Mosquitto before 1.5.3 with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and... |
| CVE-2017-9868 | AVG-353 | Medium | No | Information disclosure | In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. |
Advisories
| Date | Advisory | Group | Severity | Description |
|---|---|---|---|---|
| 01 Oct 2018 | ASA-201810-1 | AVG-772 | Medium | denial of service |
| 16 Jul 2017 | ASA-201707-16 | AVG-353 | Medium | information disclosure |