Candidate: CVE-2018-12550
PublicDate: 2019-03-27 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550
 https://mosquitto.org/blog/2019/02/version-1-5-6-released/
 https://mosquitto.org/files/cve/2018-12550
Description:
 When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to
 use an ACL file, and that ACL file is empty, or contains only comments or
 blank lines, then Mosquitto will treat this as though no ACL file has been
 defined and use a default allow policy. The new behaviour is to have an
 empty ACL file mean that all access is denied, which is not a useful
 configuration but is not unexpected.
Ubuntu-Description:
Notes:
 ebarretto> mosquitto's version on Trusty is EOL.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_mosquitto:
 upstream: https://mosquitto.org/files/cve/2018-12550/
upstream_mosquitto: released (1.5.6)
precise/esm_mosquitto: DNE
trusty_mosquitto: ignored (out of standard support)
trusty/esm_mosquitto: needed
xenial_mosquitto: released (1.4.8-1ubuntu0.16.04.5)
bionic_mosquitto: released (1.4.15-2ubuntu0.18.04.1)
cosmic_mosquitto: released (1.4.15-2ubuntu0.18.10.1)
disco_mosquitto: not-affected (1.5.6-1)
eoan_mosquitto: not-affected (1.5.6-1)
focal_mosquitto: not-affected (1.5.6-1)
groovy_mosquitto: not-affected (1.5.6-1)
hirsute_mosquitto: not-affected (1.5.6-1)
impish_mosquitto: not-affected (1.5.6-1)
jammy_mosquitto: not-affected (1.5.6-1)
devel_mosquitto: not-affected (1.5.6-1)