Candidate: CVE-2018-12546
PublicDate: 2019-03-27 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546
 https://mosquitto.org/blog/2019/02/version-1-5-6-released/
 https://mosquitto.org/files/cve/2018-12546
Description:
 In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client
 publishes a retained message to a topic, then has its access to that topic
 revoked, the retained message will still be published to clients that
 subscribe to that topic in the future. In some applications this may result
 in clients being able cause effects that would otherwise not be allowed.
Ubuntu-Description:
Notes:
 ebarretto> mosquitto's version on Trusty is EOL.
 ebarretto> The first patch introduced a regression, please see bug below
 ebarretto> https://bugs.launchpad.net/bugs/1815695
Bugs:
 https://bugs.launchpad.net/bugs/1814931
 https://bugs.launchpad.net/bugs/1815695
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [6.5 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_mosquitto:
 upstream: https://mosquitto.org/files/cve/2018-12546/
upstream_mosquitto: released (1.5.6)
precise/esm_mosquitto: DNE
trusty_mosquitto: ignored (out of standard support)
trusty/esm_mosquitto: not-affected (code not present)
xenial_mosquitto: released (1.4.8-1ubuntu0.16.04.5)
bionic_mosquitto: released (1.4.15-2ubuntu0.18.04.1)
cosmic_mosquitto: released (1.4.15-2ubuntu0.18.10.1)
disco_mosquitto: not-affected (1.5.6-1)
devel_mosquitto: not-affected (1.5.6-1)