Fedora has issued an advisory on April 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RZ2TYMMDG3XK2FMHJVRLWUEBTOVK42DU/ A security issue was fixed upstream in 1.6.14 and 2.0.9: https://mosquitto.org/blog/2021/03/version-2-0-9-released/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Upstream has announced version 2.0.10 on April 3: https://mosquitto.org/blog/2021/04/version-2-0-10-released/ It fixes a security issue that only affects 2.0.x (Mageia 8).
Summary: mosquitto new security issue fixed upstream in 1.6.14 and 2.0.9 => mosquitto new security issues fixed upstream in 1.6.14 and 2.0.10Status comment: (none) => Fixed upstream in 1.6.14 and 2.0.10
Done for mga8!
Mageia 7 still needs to be addressed. RPMS list for Mageia 8: libmosquitto-devel-2.0.10-1.mga8 mosquitto-2.0.10-1.mga8 libmosquitto1-2.0.10-1.mga8 libmosquittopp1-2.0.10-1.mga8
Done also for mga7 updating to 1.6.14! Also note that uthash was also updated to 2.1.0 to fix build and to use system one.
RPMS list for Mageia 7: uthash-devel-2.1.0-1.mga7 mosquitto-1.6.14-1.mga7 libmosquitto1-1.6.14-1.mga7 libmosquittopp1-1.6.14-1.mga7 libmosquitto-devel-1.6.14-1.mga7 from SRPMS: uthash-2.1.0-1.mga7.src.rpm mosquitto-1.6.14-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210Status comment: Fixed upstream in 1.6.14 and 2.0.10 => (none)
Looking at this for mga7, before updating. Reference bug 25728. Had no luck starting the mosquitto broker. Tried editing the mosquitto.conf file a few times but cannot get a handle on this. # mosquitto -d # systemctl status mosquitto ● mosquitto.service - Mosquitto MQTT v3.1/v3.1.1 Broker Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2021-06-14 19:00:20 BST; 1min 24s ago Docs: man:mosquitto.conf(5) man:mosquitto(8) Process: 17920 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE) Main PID: 17920 (code=exited, status=1/FAILURE) Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5. Jun 14 19:00:20 difda systemd[1]: Stopped Mosquitto MQTT v3.1/v3.1.1 Broker. Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Start request repeated too quickly. Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Failed with result 'exit-code'. Jun 14 19:00:20 difda systemd[1]: Failed to start Mosquitto MQTT v3.1/v3.1.1 Broker. Having another go in 24 hours time.
CC: (none) => tarazed25
Trying the same thing in mga8. This time, without touching the configuration file the server started but the client script failed to connect to the broker. On checking status again found mosquitto dead. Shall poke around a bit more.
Decided to forget about pre-update testing. Installed the updates and tried to restart the service on Mageia 7. # mosquitto -d 1623741943: mosquitto version 1.6.14 starting 1623741943: Using default config. 1623741943: Opening ipv4 listen socket on port 1883. 1623741943: Error: Address already in use # cd /etc/mosquitto # grep keepalive mosquitto.conf ............... #keepalive_interval 60 # systemctl stop mosquitto # kill -9 <pid> The default idle_timeout is 60 seconds but appears to apply to a remote broker whereas a local server is being used here, probably (?). keepalive seems to matter also only for remote brokers. # mosquitto -d 1623743703: mosquitto version 1.6.14 starting 1623743703: Using default config. 1623743703: Opening ipv4 listen socket on port 1883. 1623743703: Opening ipv6 listen socket on port 1883. 1623743703: mosquitto version 1.6.14 running # systemctl status mosquitto ● mosquitto.service - Mosquitto MQTT Broker Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2021-06-14 19:00:20 BST; 13h ago Docs: man:mosquitto.conf(5) man:mosquitto(8) Main PID: 17920 (code=exited, status=1/FAILURE) Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5. Jun 14 19:00:20 difda systemd[1]: Stopped Mosquitto MQTT v3.1/v3.1.1 Broker. Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Start request repeated too quickly. Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Failed with result 'exit-code'. Jun 14 19:00:20 difda systemd[1]: Failed to start Mosquitto MQTT v3.1/v3.1.1 Broker. Dropping this. The tutorial would take weeks to absorb and although the config file contains built-in documentation there are too many parameters to consider. The python scripts supplied allow for parameter values to be changed on the fly but there has to be a clean starting point, i.e. a running server. It does not work out of the box here anyway.
MGA7-64 Plasma on Lenovo B50 No installation issues. Used wireshark to see packets. At first run of # mosquitto -d I see packets "Homeplug-AV", so there is something happening. Tried to run the client.py has very little result, but that's understandable (afterwards!!!) because the firewall drops all except what I specifically allowed and the port of MTTQ is not one of these. Tried to restart mosquitto, but that failed mentioning "too soon". I will try again after restarting this laptop when I finished other tests.
CC: (none) => herman.viaene
Fedora has issued advisories on June 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7I5TBQ45K22UWNSJMATZ7KQNXKQCRMRY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SRGI4VLTOL5EHUGDJSTHZAZKBPV3WPCS/ Upstream announcement from June 8: http://mosquitto.org/blog/2021/06/version-2-0-11-released/ The issue is fixed upstream in 1.6.15 and 2.0.11.
Assignee: qa-bugs => geiger.david68210Summary: mosquitto new security issues fixed upstream in 1.6.14 and 2.0.10 => mosquitto new security issues fixed upstream in 1.6.15 and 2.0.11Version: 8 => CauldronWhiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Updates for 1.6.15 and 2.0.11 have been uploaded to updates_testing. mosquitto-1.6.15-1.mga7 libmosquitto1-1.6.15-1.mga7 libmosquittopp1-1.6.15-1.mga7 libmosquitto-devel-1.6.15-1.mga7 mosquitto-2.0.11-1.mga8 libmosquitto-devel-2.0.11-1.mga8 libmosquitto1-2.0.11-1.mga8 libmosquittopp1-2.0.11-1.mga8 from SRPMS: mosquitto-1.6.15-1.mga7.src.rpm mosquitto-2.0.11-1.mga8.src.rpm
Version: Cauldron => 8Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA8TOO, MGA7TOO => MGA7TOO
(In reply to David Walser from comment #11) > Updates for 1.6.15 and 2.0.11 have been uploaded to updates_testing. > > mosquitto-1.6.15-1.mga7 > libmosquitto1-1.6.15-1.mga7 > libmosquittopp1-1.6.15-1.mga7 > libmosquitto-devel-1.6.15-1.mga7 > mosquitto-2.0.11-1.mga8 > libmosquitto-devel-2.0.11-1.mga8 > libmosquitto1-2.0.11-1.mga8 > libmosquittopp1-2.0.11-1.mga8 > > from SRPMS: > mosquitto-1.6.15-1.mga7.src.rpm > mosquitto-2.0.11-1.mga8.src.rpm Reminder that uthash is a part of this update too: uthash-devel-2.1.0-1.mga7 from uthash-2.1.0-1.mga7.src.rpm
Ping? Last one for Mageia 7?
CC: (none) => ouaurelien
Clean upgrade test should suffice here.
Validating based on clean install over the prior versions. For advisories see comments 11 and 12.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0349.html
Status: NEW => RESOLVEDResolution: (none) => FIXED