| Name | CVE-2018-12546 |
| Description | In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4388-1 |
| Debian Bugs | 921976 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| mosquitto (PTS) | jessie, jessie (lts) | 1.3.4-2+deb8u4 | vulnerable |
| stretch (security), stretch (lts), stretch | 1.4.10-3+deb9u5 | fixed | |
| buster (security), buster, buster (lts) | 1.5.7-1+deb10u1 | fixed | |
| bullseye (security), bullseye | 2.0.11-1+deb11u1 | fixed | |
| bookworm (security), bookworm | 2.0.11-1.2+deb12u1 | fixed | |
| sid, trixie | 2.0.20-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| mosquitto | source | wheezy | (unfixed) | end-of-life | ||
| mosquitto | source | stretch | 1.4.10-3+deb9u3 | DSA-4388-1 | ||
| mosquitto | source | (unstable) | 1.5.6-1 | 921976 |
[jessie] - mosquitto <ignored> (Minor issue)
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12546