A denial of service vulnerability causing a crash by dereference of null on corrupt packets was found by Benedikt Brandmaier using rusty-FUME. There was no heap corruption or out-of-bounds access, so no indication of a possible exploit. Update as soon as possible.
Additionally, a bug was fixed in decoding mosquitto password files with Windows end-of-line characters.