Bug 29024 - mosquitto new security issues fixed upstream in 1.6.14 and 2.0.10
Summary: mosquitto new security issues fixed upstream in 1.6.14 and 2.0.10
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-29 22:17 CEST by David Walser
Modified: 2021-06-17 14:58 CEST (History)
3 users (show)

See Also:
Source RPM: mosquitto-2.0.4-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-29 22:17:17 CEST
Fedora has issued an advisory on April 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RZ2TYMMDG3XK2FMHJVRLWUEBTOVK42DU/

A security issue was fixed upstream in 1.6.14 and 2.0.9:
https://mosquitto.org/blog/2021/03/version-2-0-9-released/

Mageia 7 is also affected.
David Walser 2021-05-29 22:17:34 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-05-29 23:33:53 CEST
Upstream has announced version 2.0.10 on April 3:
https://mosquitto.org/blog/2021/04/version-2-0-10-released/

It fixes a security issue that only affects 2.0.x (Mageia 8).

Summary: mosquitto new security issue fixed upstream in 1.6.14 and 2.0.9 => mosquitto new security issues fixed upstream in 1.6.14 and 2.0.10
Status comment: (none) => Fixed upstream in 1.6.14 and 2.0.10

Comment 2 David GEIGER 2021-06-04 13:53:43 CEST
Done for mga8!
Comment 3 David Walser 2021-06-05 17:11:13 CEST
Mageia 7 still needs to be addressed.

RPMS list for Mageia 8:
libmosquitto-devel-2.0.10-1.mga8
mosquitto-2.0.10-1.mga8
libmosquitto1-2.0.10-1.mga8
libmosquittopp1-2.0.10-1.mga8
Comment 4 David GEIGER 2021-06-07 10:34:27 CEST
Done also for mga7 updating to 1.6.14!

Also note that uthash was also updated to 2.1.0 to fix build and to use system one.
Comment 5 David Walser 2021-06-09 01:29:09 CEST
RPMS list for Mageia 7:
uthash-devel-2.1.0-1.mga7
mosquitto-1.6.14-1.mga7
libmosquitto1-1.6.14-1.mga7
libmosquittopp1-1.6.14-1.mga7
libmosquitto-devel-1.6.14-1.mga7

from SRPMS:
uthash-2.1.0-1.mga7.src.rpm
mosquitto-1.6.14-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 1.6.14 and 2.0.10 => (none)

Comment 6 Len Lawrence 2021-06-14 20:07:55 CEST
Looking at this for mga7, before updating.  Reference bug 25728.

Had no luck starting the mosquitto broker.  Tried editing the mosquitto.conf file a few times but cannot get a handle on this.
# mosquitto -d
# systemctl status mosquitto
● mosquitto.service - Mosquitto MQTT v3.1/v3.1.1 Broker
   Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2021-06-14 19:00:20 BST; 1min 24s ago
     Docs: man:mosquitto.conf(5)
           man:mosquitto(8)
  Process: 17920 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)
 Main PID: 17920 (code=exited, status=1/FAILURE)

Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
Jun 14 19:00:20 difda systemd[1]: Stopped Mosquitto MQTT v3.1/v3.1.1 Broker.
Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Start request repeated too quickly.
Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Failed with result 'exit-code'.
Jun 14 19:00:20 difda systemd[1]: Failed to start Mosquitto MQTT v3.1/v3.1.1 Broker.

Having another go in 24 hours time.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2021-06-14 20:40:13 CEST
Trying the same thing in mga8.
This time, without touching the configuration file the server started but the client script failed to connect to the broker.
On checking status again found mosquitto dead.

Shall poke around a bit more.
Comment 8 Len Lawrence 2021-06-15 10:05:18 CEST
    Decided to forget about pre-update testing.  Installed the updates and tried to restart the service on Mageia 7.
    # mosquitto -d
    1623741943: mosquitto version 1.6.14 starting
    1623741943: Using default config.
    1623741943: Opening ipv4 listen socket on port 1883.
    1623741943: Error: Address already in use

    # cd /etc/mosquitto
    # grep keepalive mosquitto.conf
    ...............
    #keepalive_interval 60
    # systemctl stop mosquitto
    # kill -9 <pid>

    The default idle_timeout is 60 seconds but appears to apply to a remote broker whereas a local server is being used here, probably (?).  keepalive seems to matter also only for remote brokers.

    # mosquitto -d
    1623743703: mosquitto version 1.6.14 starting
    1623743703: Using default config.
    1623743703: Opening ipv4 listen socket on port 1883.
    1623743703: Opening ipv6 listen socket on port 1883.
    1623743703: mosquitto version 1.6.14 running
    # systemctl status mosquitto
    ● mosquitto.service - Mosquitto MQTT Broker
       Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Mon 2021-06-14 19:00:20 BST; 13h ago
         Docs: man:mosquitto.conf(5)
               man:mosquitto(8)
     Main PID: 17920 (code=exited, status=1/FAILURE)

    Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
    Jun 14 19:00:20 difda systemd[1]: Stopped Mosquitto MQTT v3.1/v3.1.1 Broker.
    Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Start request repeated too quickly.
    Jun 14 19:00:20 difda systemd[1]: mosquitto.service: Failed with result 'exit-code'.
    Jun 14 19:00:20 difda systemd[1]: Failed to start Mosquitto MQTT v3.1/v3.1.1 Broker.

    Dropping this.  The tutorial would take weeks to absorb and although the config file contains built-in documentation there are too many parameters to consider.  The python scripts supplied allow for parameter values to be changed on the fly but there has to be a clean starting point, i.e. a running server.
    It does not work out of the box here anyway.
Comment 9 Herman Viaene 2021-06-17 14:58:44 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Used wireshark to see packets.
At first run of
# mosquitto -d
I see packets  "Homeplug-AV", so there is something happening.
Tried to run the client.py has very little result, but that's understandable (afterwards!!!) because the firewall drops all except what I specifically allowed and the port of MTTQ is not one of these.
Tried to restart mosquitto, but that failed mentioning "too soon".
I will try again after restarting this laptop when I finished other tests.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.