Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0409 mosquitto security update 11 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mosquitto Publisher: Debian Operating System: Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-12551 CVE-2018-12550 CVE-2018-12546 Original Bulletin: http://www.debian.org/security/2019/dsa-4388 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running mosquitto check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4388-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 10, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : mosquitto CVE ID : CVE-2018-12546 CVE-2018-12550 CVE-2018-12551 Three vulnerabilities were discovered in the Mosquitto MQTT broker, which could result in authentication bypass. Please refer to https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for additional information. For the stable distribution (stretch), these problems have been fixed in version 1.4.10-3+deb9u3. We recommend that you upgrade your mosquitto packages. For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxgdIAACgkQEMKTtsN8 Tjai+g/+Lct38ZTjmWx/BWTemuWpC9AYL3A+raa584xhjd3HdIUKeaYOsjwRsZJV 7yitjjS8TRd1LAVBd/nI7Sj3XLzqdq5jf1ESOmR1q1UT0WlfvVfNePqLRJ9wt5Yi TMQySjXyz+OOK5at4GH4musFScJKbjR07LA9jWlbJpAgjuhn9sXHtyWCf3t85qtA CwQL8SbtB5kONI5QGhy0nIHq6nMUMVq052fWwj7WqCpsnl24yhRD3GeYQhgqqnU3 EBp/V5ngaXKLC7rYcDezmO7wXV6A8YH2LNhbcM6NWrOGEKR0OOy1C+7PWcKjj97A vCU+i8ylL2DjZPnd4GUjKBfEIcUtWirKwLreEru40mfWRRvd9el1WMLuIgG+FEea MJvDD9VTtmRjQ9ErXc6OiiTG6PWjtLmRSrJhvwPiyU4vDQ58VVD2z64TXUyhKb9z zGBRauvf1B7wya++R+uz00MdcQx1irysJwSBbuPUGWP2LydOcnyswbOVajC4VXco Fq1VHnYEjnEbEWd9JpDTz5sM+g3DorGL5CslgFnPwjTL/vR0mQ2fR/fFHyt8nnuT SrF6K8yJ/9IeXWuCoWw4QWIqWvKwCZcB+Tn0ZSjWdXeqCiynG+OjpYvnI6v7lWmz QMmUM8yip2//mk249LMS+UoE2mhzEfLYoXWUmeEL64OW0mnn/4w= =AlaR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGDFMWaOgq3Tt24GAQggIg/+JPLhf6I8R8UXWKUByM977PPyDFPBpckY f85TP9zwOQosGpXwONmKqzG+vQLReAQly9JrOWpvq+Vkpsz2CLNJnxAwXwm31hjX bDhGtZiaEUK62EctrYDIKGoFT1jdxKeooUuGLHz2EUj7oWlBzWS3r2v+sgV9LgFB 1yUqlmORXhXCt5kGteQFazsG6kITPXtRUiUx1/4udDmNAz4VtbpJPyARPj5sL7VE cUAsWR/58ecM1TB2fExk3mcjqmEzD3AtFobi7Y2I0anvpCRohVgpuFjiKrOlx6os 7Wt0WIZ9+YjNGv3Tl130OvLttMrZdFtodgXXJXsfff8ptbSx/xz6fivdXJUoGifO 7W5qOa3lb2Q5Dv2AmQZQd7Q/PWsalsJlWpxF0gh6xdbNhDJs1WLV6G9Ok00gBe8+ je+XvnQzGLEPEZZOJR/23+R4MNMnaRLN9H++Xd5bRxcVNGetUiqU/so78ONcQ2mm SXKUlQZvBAOgm5Bmli2jwlvXeLcVrjXEtn5l0cS5BJI0JfwfH+m63/XtIjfyFxXS rbRigrGl+qXmjGtg2uigfYeuLEgDn3A1PNNreufhiKTg/cMg1AYXDof7B0CQ/jJs yDu8yd5ThwTkw7xN2iPDoM3Oq4Q6hCHzFBczVbwiuZVLwUUYi1o7kKlhH7jJIxoL GarpUAuZ27o= =lMHY -----END PGP SIGNATURE-----