From d81c5364fefdcfccb5c80df019d1388191b07cd8 Mon Sep 17 00:00:00 2001 From: "Community Hass.io Add-ons Bot" Date: Tue, 18 Dec 2018 21:36:24 +0000 Subject: [PATCH] :tada: Release of add-on MQTT Server & Web client 0.3.0 --- README.md | 6 +++--- mqtt/CHANGELOG.md | 25 ++++++++++++++++++++++--- mqtt/README.md | 6 +++--- mqtt/config.json | 2 +- 4 files changed, 29 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index e5f26bc1..aae09f5f 100644 --- a/README.md +++ b/README.md @@ -638,10 +638,10 @@ SOFTWARE. [lutron-cert-amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg [lutron-cert-armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg [lutron-cert-i386-shield]: https://img.shields.io/badge/i386-yes-green.svg -[addon-mqtt]: https://github.com/hassio-addons/addon-mqtt/tree/v0.2.2 -[addon-doc-mqtt]: https://github.com/hassio-addons/addon-mqtt/blob/v0.2.2/README.md +[addon-mqtt]: https://github.com/hassio-addons/addon-mqtt/tree/v0.3.0 +[addon-doc-mqtt]: https://github.com/hassio-addons/addon-mqtt/blob/v0.3.0/README.md [mqtt-issue]: https://github.com/hassio-addons/addon-mqtt/issues -[mqtt-version-shield]: https://img.shields.io/badge/version-v0.2.2-blue.svg +[mqtt-version-shield]: https://img.shields.io/badge/version-v0.3.0-blue.svg [mqtt-pulls-shield]: https://img.shields.io/docker/pulls/hassioaddons/mqtt.svg [mqtt-aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg [mqtt-amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg diff --git a/mqtt/CHANGELOG.md b/mqtt/CHANGELOG.md index cd8f433f..bef74038 100644 --- a/mqtt/CHANGELOG.md +++ b/mqtt/CHANGELOG.md @@ -1,5 +1,24 @@ -# Changes +This version contains an important security fix, and it is **strongly recommended** for **ALL** installations to be upgraded to this version **immediately**. -- 🔨Enable AppArmor +### Bypass of Authentication -[Full changelog](https://github.com/hassio-addons/addon-mqtt/compare/v0.2.1...v0.2.2) \ No newline at end of file +The authentication against Home Assistant can be bypassed by an anonymous and unauthorized user. The issue has been mitigated in the latest release. + +To be clear on the subject: This is an add-on issue and not an issue with the Home Assistant authentication itself. + +Exact details of the vulnerability are not disclosed in order to give our users the time to upgrade. + +Thanks to Lars Larsson (@larsla) for responsibly reporting this vulnerability. + +Versions Affected +Affects add-on versions v0.2.0 and newer. +Older releases are not affected. + +### Changes + +- 🚑 🔒 Fixes authentication bypass vulnerability +- 🚑 Set correct acl for readonly +- ⬆️Upgrade Nginx to 1.14.2 +- ⬆️Upgrade Nginx-mod-http-lua to 1.14.2 + +[Full changelog](https://github.com/hassio-addons/addon-mqtt/compare/v0.2.2...v0.3.0) \ No newline at end of file diff --git a/mqtt/README.md b/mqtt/README.md index 6070b660..f7a3ef95 100644 --- a/mqtt/README.md +++ b/mqtt/README.md @@ -39,13 +39,13 @@ If you are more interested in stable releases of our add-ons: [buymeacoffee]: https://www.buymeacoffee.com/ludeeus [discord-shield]: https://img.shields.io/discord/478094546522079232.svg [discord]: https://discord.me/hassioaddons -[docs]: https://github.com/hassio-addons/addon-mqtt/blob/v0.2.2/README.md +[docs]: https://github.com/hassio-addons/addon-mqtt/blob/v0.3.0/README.md [forum-shield]: https://img.shields.io/badge/community-forum-brightgreen.svg [forum]: https://community.home-assistant.io/t/community-hass-io-add-ons-mqtt-server-web-client/70376 [hivemq]: https://www.hivemq.com/ [maintenance-shield]: https://img.shields.io/maintenance/yes/2018.svg [mosquitto]: https://mosquitto.org/ [project-stage-shield]: https://img.shields.io/badge/project%20stage-experimental-yellow.svg -[release-shield]: https://img.shields.io/badge/version-v0.2.2-blue.svg -[release]: https://github.com/hassio-addons/addon-mqtt/tree/v0.2.2 +[release-shield]: https://img.shields.io/badge/version-v0.3.0-blue.svg +[release]: https://github.com/hassio-addons/addon-mqtt/tree/v0.3.0 [screenshot]: https://github.com/hassio-addons/addon-mqtt/raw/master/images/image.png \ No newline at end of file diff --git a/mqtt/config.json b/mqtt/config.json index 7ff9b962..ff63fbe9 100644 --- a/mqtt/config.json +++ b/mqtt/config.json @@ -1,6 +1,6 @@ { "name": "MQTT Server & Web client", - "version": "0.2.2", + "version": "0.3.0", "slug": "mqtt", "timeout": 10, "description": "Mosquitto MQTT Server bundled with Hivemq's web client",