<pre style='margin:0'>
Mojca Miklavec (mojca) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/4cdb4d0dfadc74ddd50a051e940a2d055a9c0eb9">https://github.com/macports/macports-ports/commit/4cdb4d0dfadc74ddd50a051e940a2d055a9c0eb9</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 4cdb4d0 mosquitto: Upgrade to version 1.5.6.
</span>4cdb4d0 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 4cdb4d0dfadc74ddd50a051e940a2d055a9c0eb9
</span>Author: Andrew L. Moore <slewsys@gmail.com>
AuthorDate: Fri Feb 8 14:21:51 2019 -0500
<span style='display:block; white-space:pre;color:#404040;'> mosquitto: Upgrade to version 1.5.6.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> This update addresses multiple security vulnerabilities:
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> CVE-2018-12551: If Mosquitto is configured to use a password file for
</span><span style='display:block; white-space:pre;color:#404040;'> authentication, any malformed data in the password file will be
</span><span style='display:block; white-space:pre;color:#404040;'> treated as valid. This typically means that the malformed data becomes
</span><span style='display:block; white-space:pre;color:#404040;'> a username and no password. If this occurs, clients can circumvent
</span><span style='display:block; white-space:pre;color:#404040;'> authentication and get access to the broker by using the malformed
</span><span style='display:block; white-space:pre;color:#404040;'> username. In particular, a blank line will be treated as a valid empty
</span><span style='display:block; white-space:pre;color:#404040;'> username. Other security measures are unaffected. Users who have only
</span><span style='display:block; white-space:pre;color:#404040;'> used the mosquitto_passwd utility to create and modify their password
</span><span style='display:block; white-space:pre;color:#404040;'> files are unaffected by this vulnerability.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> CVE-2018-12550: If an ACL file is empty, or has only blank lines or
</span><span style='display:block; white-space:pre;color:#404040;'> comments, then mosquitto treats the ACL file as not being defined,
</span><span style='display:block; white-space:pre;color:#404040;'> which means that no topic access is denied. Although denying access to
</span><span style='display:block; white-space:pre;color:#404040;'> all topics is not a useful configuration, this behaviour is unexpected
</span><span style='display:block; white-space:pre;color:#404040;'> and could lead to access being incorrectly granted in some
</span><span style='display:block; white-space:pre;color:#404040;'> circumstances.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> CVE-2018-12546. If a client publishes a retained message to a topic
</span><span style='display:block; white-space:pre;color:#404040;'> that they have access to, and then their access to that topic is
</span><span style='display:block; white-space:pre;color:#404040;'> revoked, the retained message will still be delivered to future
</span><span style='display:block; white-space:pre;color:#404040;'> subscribers. This behaviour may be undesirable in some applications,
</span><span style='display:block; white-space:pre;color:#404040;'> so a configuration option `check_retain_source` has been introduced to
</span><span style='display:block; white-space:pre;color:#404040;'> enforce checking of the retained message source on publish.
</span>---
net/mosquitto/Portfile | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/mosquitto/Portfile b/net/mosquitto/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 649c30c..8265b4c 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/mosquitto/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/mosquitto/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,8 +4,7 @@ PortSystem 1.0
</span> PortGroup cmake 1.1
name mosquitto
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 1.5.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 1.5.6
</span>
categories net devel
platforms darwin
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -23,9 +22,9 @@ long_description \
</span> homepage https://mosquitto.org
master_sites http://mosquitto.org/files/source/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-checksums rmd160 7c04ab09553a3514c0ff6411ba289ed3a971c757 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 fcdb47e340864c545146681af7253399cc292e41775afd76400fda5b0d23d668 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size 431998
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+checksums rmd160 c4ddcd7388e5a19410421a2149292f3eb130b40e \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 d5bdc13cc668350026376d57fc14de10aaee029f6840707677637d15e0751a40 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 439402
</span>
depends_build-append \
path:bin/xsltproc:libxslt
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -73,6 +72,9 @@ pre-test {
</span> # Test target 09 fails due to I/O error when launching broker.
reinplace "s|^test :.*|test : test-compile 01 02 03 04 05 06 07 10 11|" \
${build.dir}/test/broker/Makefile
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Test target 02-subpub-qos.*-bad.* fails due to socket error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|\\./02-subpub-qos.*-bad.*|#&|" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${build.dir}/test/broker/Makefile
</span> # `09-util-utf8-validate.c' fails to compile due to invalid encoding.
reinplace "s|^09 :.*|09 : 09-util-topic-matching.test 09-util-topic-tokenise.test|" \
${build.dir}/test/lib/c/Makefile \
</pre><pre style='margin:0'>
</pre>