Version 2.0.12 released.

Versions 2.0.12 of Mosquitto has been released. This is a security
and bugfix release.

Security

An MQTT v5 client connecting with a large number of user-property properties
could cause excessive CPU usage, leading to a loss of performance and
possible denial of service. This has been fixed.
Fix max_keepalive not applying to MQTT v3.1.1 and v3.1 connections.
These clients are now rejected if their keepalive value exceeds
max_keepalive. This option allows CVE-2020-13849, which is for the MQTT
v3.1.1 protocol itself rather than an implementation, to be addressed.
Using certain listener related configuration options e.g. cafile, that
apply to the default listener without defining any listener would cause a
remotely accessible listener to be opened that was not confined to the local
machine but did have anonymous access enabled, contrary to the
documentation. This has been fixed. Closes [#2283].
CVE-2021-34434: If a plugin had granted ACL subscription access to a
durable/non-clean-session client, then removed that access, the client would
keep its existing subscription. This has been fixed.
Incoming QoS 2 messages that had not completed the QoS flow were not being
checked for ACL access when a clean session=False client was reconnecting.
This has been fixed.

Fix possible out of bounds memory reads when reading a corrupt/crafted
configuration file. Unless your configuration file is writable by untrusted
users this is not a risk. Closes #567213.
Fix max_connections option not being correctly counted.
Fix TLS certificates and TLS-PSK not being able to be configured at the same
time.
Disable TLS v1.3 when using TLS-PSK, because it isn’t correctly configured.
Fix max_keepalive not applying to MQTT v3.1.1 and v3.1 connections.
These clients are now rejected if their keepalive value exceeds
max_keepalive. This option allows CVE-2020-13849, which is for the MQTT
v3.1.1 protocol itself rather than an implementation, to be addressed.
Fix broker not quiting if e.g. the password_file is specified as a
directory. Closes #2241.
Fix listener mount_point not being removed on outgoing messages.
Closes #2244.
Strict protocol compliance fixes, plus test suite.
Fix $share subscriptions not being recovered for durable clients that
reconnect.
Update plugin configuration documentation. Closes #2286.

If a client uses TLS-PSK then force the default cipher list to use “PSK”
ciphers only. This means that a client connecting to a broker configured
with x509 certificates only will now fail. Prior to this, the client would
connect successfully without verifying certificates, because they were not
configured.
Disable TLS v1.3 when using TLS-PSK, because it isn’t correctly configured.
Threaded mode is deconfigured when the mosquitto_loop_start() thread ends,
which allows mosquitto_loop_start() to be called again. Closes #2242.
Fix MOSQ_OPT_SSL_CTX not being able to be set to NULL. Closes #2289.
Fix reconnecting failing when MOSQ_OPT_TLS_USE_OS_CERTS was in use, but none
of capath, cafile, psk, nor MOSQ_OPT_SSL_CTX were set, and
MOSQ_OPT_SSL_CTX_WITH_DEFAULTS was set to the default value of true.
Closes #2288.

mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
so binary payloads are not modified when printing.
Document TLS certificate behaviour when using -p 8883.