CVE-2018-12550

Priority
Description
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to
use an ACL file, and that ACL file is empty, or contains only comments or
blank lines, then Mosquitto will treat this as though no ACL file has been
defined and use a default allow policy. The new behaviour is to have an
empty ACL file mean that all access is denied, which is not a useful
configuration but is not unexpected.
Notes
ebarrettomosquitto's version on Trusty is EOL.
Package
Upstream:released (1.5.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (1.4.8-1ubuntu0.16.04.5)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.4.15-2ubuntu0.18.04.1)
Ubuntu 19.10 (Eoan Ermine):not-affected (1.5.6-1)
Ubuntu 20.04 (Focal Fossa):not-affected (1.5.6-1)
Patches:
Upstream:https://mosquitto.org/files/cve/2018-12550/
More Information

Updated: 2020-01-29 18:51:47 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)