Mosquitto 1.5.3 has been released to address a security vulnerability. It also includes other bug fixes.

CVE-2018-12543

A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as CVE-2018-12543.

If a message received by the broker has a topic that begins with $, but that does not begin $SYS, an assert is triggered that should otherwise not be accessible, causing Mosquitto to exit.

The issue is fixed in Mosquitto 1.5.3. Patches for older versions are available at https://mosquitto.org/files/cve/2018-12543

The fix addresses the problem by reverting a commit that intended to remove some unused checks, but also stopped part of the topic hierarchy being created.

Version 1.5.3 Changes

The complete list of fixes addressed in version 1.5.3 is:

Security

  • Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and Mosquitto will exit.

Broker

  • Elevate log level to warning for situation when socket limit is hit.
  • Remove requirement to use user root in snap package config files.
  • Fix retained messages not sent by bridges on outgoing topics at the first connection. Closes #701.
  • Documentation fixes. Closes #520, #600.
  • Fix duplicate clients being added to by_id hash before the old client was removed. Closes #645.
  • Fix Windows version not starting if include_dir did not contain any files. Closes #566.

Build

  • Various fixes to ease building.