Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] Security advisory: CVE-2018-12543

Dear all,

A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive
known as CVE-2018-12543.

If a message received by the broker has a topic that begins with `$`, but that
does not begin `$SYS`, an assert is triggered that should otherwise not be
accessible, causing Mosquitto to exit.

The issue is fixed in Mosquitto 1.5.3. Patches for older versions are
available at

The fix addresses the problem by reverting a commit that intended to remove
some unused checks, but also stopped part of the topic hierarchy being created.

Updated packages for most systems should be available immediately or
very shortly.

More details of the 1.5.3 release can be found on the Mosquitto
website, as well as details of the 1.5.2 release which was not
announced here due to the discovery of this vulnerability.



Back to the top