[Secure-testing-team] Bug#696895: mosquitto: Topic access can be incorrectly granted to all clients
Roger A. Light
roger at atchoo.org
Fri Dec 28 23:05:38 UTC 2012
Package: mosquitto
Version: 0.15-1
Severity: grave
Tags: upstream security
Justification: user security hole
When the acl_file option is in use to specify topic access control, if only
pattern access is used then all clients can obtain access regardless of the ACL
restrictions. This allows MQTT clients to access data that they shouldn't, but
does not affect security of the system.
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages mosquitto depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian9
mosquitto recommends no packages.
mosquitto suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list