A flaw was found in mosquitto affecting all versions up to 1.4.14 inclusive. Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system.
Created mosquitto tracking bugs for this issue:
Affects: fedora-all [bug 1551754]
Affects: epel-7 [bug 1551755]