Created attachment 917750 [details]
This is a security related bug affecting versions 1.0 - 1.3.1 of mosquitto.
If an end user uses mosquitto with an authentication plugin, and the
plugin returns an application error when making an authentication check
(such as if a database was unavailable), then mosquitto incorrectly
treats this as a successful authentication.
This has the potential for unauthorised clients to access the running
mosquitto broker and gain access to information to which it is not
authorised. In general this does not represent a wider security hole.
No authentication plugins are provided with mosquitto and there are only
a limited number of examples available on the internet, so it is
unlikely that this bug will affect many installations.
The attached patch can be used as a fix, or package version 1.3.2.
Note that this also would affect Fedora 19 and 20, as well as EPEL7.
mosquitto-1.3.2-1.fc20 has been submitted as an update for Fedora 20.
mosquitto-1.3.2-1.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mosquitto-1.3.2-1.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
mosquitto-1.3.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mosquitto-1.3.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.