Bug#696895: marked as done (mosquitto: Topic access can be incorrectly granted to all clients)

[Debian Bug Tracking System]

Your message dated Sat, 29 Dec 2012 18:47:38 +0000
with message-id <e1tp1ra-0005hg...@franck.debian.org>
and subject line Bug#696895: fixed in mosquitto 0.15-2
has caused the Debian Bug report #696895,
regarding mosquitto: Topic access can be incorrectly granted to all clients
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
696895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mosquitto
Version: 0.15-1
Severity: grave
Tags: upstream security
Justification: user security hole

When the acl_file option is in use to specify topic access control, if only
pattern access is used then all clients can obtain access regardless of the ACL
restrictions. This allows MQTT clients to access data that they shouldn't, but
does not affect security of the system.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages mosquitto depends on:
ii  adduser   3.113+nmu3
ii  libc6     2.13-37
ii  libwrap0  7.6.q-24
ii  lsb-base  4.1+Debian9

mosquitto recommends no packages.

mosquitto suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: mosquitto
Source-Version: 0.15-2

We believe that the bug you reported is fixed in the latest version of
mosquitto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger A. Light <ro...@atchoo.org> (supplier of updated mosquitto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Dec 2012 22:55:03 +0000
Source: mosquitto
Binary: mosquitto libmosquitto0 libmosquitto0-dev libmosquittopp0 
libmosquittopp0-dev mosquitto-clients python-mosquitto
Architecture: source amd64 all
Version: 0.15-2
Distribution: unstable
Urgency: low
Maintainer: Roger A. Light <ro...@atchoo.org>
Changed-By: Roger A. Light <ro...@atchoo.org>
Description: 
 libmosquitto0 - MQTT version 3.1 client library
 libmosquitto0-dev - MQTT version 3.1 client library, development files
 libmosquittopp0 - MQTT version 3.1 client C++ library
 libmosquittopp0-dev - MQTT version 3.1 client C++ library, development files
 mosquitto  - MQTT version 3.1 compatible message broker
 mosquitto-clients - Mosquitto command line MQTT clients
 python-mosquitto - MQTT version 3.1 client library, python bindings
Closes: 696889 696891 696895
Changes: 
 mosquitto (0.15-2) unstable; urgency=low
 .
   * Fix broker crash when a client connects with a bad protocol version.
     (Closes: #696889)
   * Fix the possibility of topic access being granted when only acl_patterns
     is in use. (Closes: #696895)
   * Fix persistence option reloading. (Closes: #696891)
Checksums-Sha1: 
 189b473bc76b94146fd3af676a8fc1351e33f4aa 2222 mosquitto_0.15-2.dsc
 06056fda01fe697dd5cc45b166b02cb7a9c6f02b 7237 mosquitto_0.15-2.debian.tar.gz
 5e8744a81e18a73f353ca3a54e502ef5788620e0 68096 mosquitto_0.15-2_amd64.deb
 0cb4330945f839e4205629307ac61a8f2d1e8ea7 25452 libmosquitto0_0.15-2_amd64.deb
 d804f9bdb44c79aaae2ad960e2f98aac72cbe2c5 20136 libmosquitto0-dev_0.15-2_all.deb
 ffe3222a7d56757d1cf66d8b405cd846ed5ce1cf 15892 libmosquittopp0_0.15-2_amd64.deb
 899dcff293f6a39ece92b884ea2953e7c646f2bd 12378 
libmosquittopp0-dev_0.15-2_all.deb
 336757d4eb70da0e60063f2ec58ee3ad691342b9 27928 
mosquitto-clients_0.15-2_amd64.deb
 c7fe9fc12642e5034ed60c482d411632e48d1aed 17982 python-mosquitto_0.15-2_all.deb
Checksums-Sha256: 
 a7a820b7866cf3628c2abab1a3a9d63e3d39dc5c81f463c1a3e5081194b3ddba 2222 
mosquitto_0.15-2.dsc
 640681cc0c53ffffea58be4427257a01939ab3b60f52860a3368d3fd9c6ff991 7237 
mosquitto_0.15-2.debian.tar.gz
 0e57f9dc95ece1f186359595253b9f0e2479deaa261dfd28fbb2cdba3e7f075c 68096 
mosquitto_0.15-2_amd64.deb
 6e4a80e8b1281ce241c301fd05838e3f2511fda44ed590be390bba21142e1fde 25452 
libmosquitto0_0.15-2_amd64.deb
 cc706da3ec11dee7ea094491e6f97493ed7439b41ce3395e04e65abad9a7cda4 20136 
libmosquitto0-dev_0.15-2_all.deb
 5c032a206ccd0ea3c1d3437bb0e5c442959a44c6b34dc25eaea3d09de87520bf 15892 
libmosquittopp0_0.15-2_amd64.deb
 01b73587aff7b6075dfed04df6f629d96979493274c52441c6be98460e9aa184 12378 
libmosquittopp0-dev_0.15-2_all.deb
 b5f4b000490f28c0445698e16e4693adc1c59efa5640c147bfee27ee89682bd1 27928 
mosquitto-clients_0.15-2_amd64.deb
 21dfa13c7c0fbce1fcdd45a8265a4e04cfd14f923a5afd98f5ee9ced142e0424 17982 
python-mosquitto_0.15-2_all.deb
Files: 
 68358aaa10b75d2796a3fcfe38184363 2222 net optional mosquitto_0.15-2.dsc
 c32a5280fa2ec3b60b3129b4bf90077c 7237 net optional 
mosquitto_0.15-2.debian.tar.gz
 daf0a196409d3bf60388ff84c800ca2b 68096 net optional mosquitto_0.15-2_amd64.deb
 972e2a66aa5d5b26318bce099838ea2a 25452 libs optional 
libmosquitto0_0.15-2_amd64.deb
 4a473862a1970a986a4f7ce54862a8e3 20136 libdevel optional 
libmosquitto0-dev_0.15-2_all.deb
 310b4853d24c414f0198b38f91200613 15892 libs optional 
libmosquittopp0_0.15-2_amd64.deb
 35a19ad95c04a05cba16d608dca3ef72 12378 libdevel optional 
libmosquittopp0-dev_0.15-2_all.deb
 535be0bd37c2d8770b35120f72e18385 27928 net optional 
mosquitto-clients_0.15-2_amd64.deb
 36f5a12f64468a898a7df163ab27adf5 17982 python optional 
python-mosquitto_0.15-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ3zXQAAoJELgqIXr9/gnyorIP/jlUVr1QXCZOvNlsusln4d1P
aFrzJEh60PH/6sZt7f5Ict0zNs8I+vwG2uwbZQ+yblIlmTKrxErUvxqu6H214zk8
7L2+Hi3hBADwYVsxa9Gy8NfBw6jGTCcX9HDk6Z18iZV3WW9xrW4qPAEEQl/hp3Sr
qjZoDkGi3BMFMThAz+2nILfecYsqk2D0SWSy46iXRsrbDmP3vG5FG/PzT4RpTZG/
oI5aig1SQyeXPdlCc95Rq/45tXp3jkLuslToEs7BkYaYPjZluCmYSsSpQO2fzgSq
qHX0NQ5KcQ377kyzQq22M/sebp+HXF4bAu/94Ei5/l8JGKQKfrVh7wwoOk/PGErT
aGos+La+uSNEBaIxqWX0XgcsvI5XxvizrTwNUeDbmyGEajbjg3C2Es13RYR39XZ2
+ojN4RJn3eb5UvhV91l7C2zYwgKdtyjZGquXQVJR8r1gNtURNQLWoDdOEB51HpWo
WGXr+ZsVUeKPKbP4CWu+B/1JIGx67kry5GJ+3uSGHPQj5muySIsbVczgK2BG8mip
A2vITvqm88QwLiweOiuRoC8lLUPvzgfKzaMRCPirwjEyccC6ddFSFrpA2cjF8Uf0
EpUOXud7M60REPaChCplGHXbygSPsJWvLWwZ0eAHOdTESZwtIORtZQr/xP8zpAWs
+YTxwSpR+OrwgCUQf6o9
=ZP2l
-----END PGP SIGNATURE-----

--- End Message ---