Versions 2.0.11 and 1.6.15 of Mosquitto has been released. These are a security and bugfix releases. 2.0.11 Security If an authenticated client connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur. Affects versions 1.6 to 2.0.10 inclusive. Broker Fix possible crash having…
Versions 2.0.10 of Mosquitto has been released. This is a security and bugfix release. Security CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault. This will be updated with the CVE…
Versions 2.0.9, 1.6.14, and 1.5.11 of Mosquitto have been released. These are bugfix releases and include a minor security fix. 2.0.9 Security If an empty or invalid CA file was provided to the client library for verifying the remote broker, then the initial connection would fail but subsequent connections would…
Version 2.0.13 of Mosquitto has been released. This is a bugfix release. Broker Fix max_keepalive option not being able to be set to 0. Fix LWT messages not being delivered if per_listener_settings was set to true. Closes #2314. Various fixes around inflight quota management. Closes #2306. Fix problem parsing config…
Versions 2.0.12 of Mosquitto has been released. This is a security and bugfix release. Security An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. This has been fixed. Fix max_keepalive not…
Version 2.0.18 of Mosquitto has been released. This is a bugfix release. Broker: - Fix crash on subscribe under certain unlikely conditions. Closes #2885. Closes #2881. Clients: - Fix mosquitto_rr not honouring -R. Closes #2893.
Version 2.0.17 of Mosquitto has been released. This is a bugfix release. Broker: - Fix max_queued_messages 0 stopping clients from receiving messages. Closes #2879. - Fix max_inflight_messages not being set correctly. Closes #2876. Apps: - Fix mosquitto_passwd -U backup file creation. Closes #2873.
Version 2.0.16 of Mosquitto has been released. This is a security and bugfix release. Security CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands. CVE-2023-0809: Fix excessive memory being allocated based on malicious…
Versions 2.0.15 of Mosquitto has been released. This is a security and bugfix release. Security Deleting the group configured as the anonymous group in the Dynamic Security plugin, would leave a dangling pointer that could lead to a single crash. This is considered a minor issue - only administrative users…
Versions 2.0.14 of Mosquitto has been released. This is a bugfix release. Broker Fix bridge not respecting receive-maximum when reconnecting with MQTT v5. Client library Fix mosquitto_topic_matches_sub2() not using the length parameters. Closes #2364. Fix incorrect subscribe_callback in mosquittopp.h. Closes #2367.