Security Fixes
- Malformed username data is now no longer logged. This fixes the possibility of creating fake log lines, by having newline characters in usernames.
- Fix signed integer bug in ‘receive max’, allowing a client to bypass the limit.
Security Enhancements
- Strings lengths (of usernames, topics, user properties, etc) are now constrained by the setting
max_string_length, defaulting to 4096. Does not affect payload. Default was chosen to unlikely affect existing deployments. - Maximum subtopic count is now constrained by setting
max_topic_split_depth, defaulting to 128. Default was chosen to unlikely affect existing deployments.
Fixes
- Flow control value is now correctly increased by one on SUBACK, even if the SUBSCRIBE contained more than one topic filter.
- Fix bridge reconnection breaking when
save_state_intervalorplugin_timer_periodwas changed and a SIGHUP sent. - Fix not closing delayed denied connections (denied by
only_allow_from) whensave_state_intervalorplugin_timer_periodwas changed and a SIGHUP sent.
Enhancements
- Compilation is now done with all symbols hidden by default, only exposing API functions publicly, including exceptions. This fixes obscure errors when plugins and FlashMQ itself use symbols with the same name. It also reduces binary size and possibly optimizes code.
- Postpone creating listeners until all threads have initialized. Binding errors are still detected before that.
- Plugin has ability to defer thread readiness.
- Systemd’s
sd_notifyis used to signal readiness after initialization (without creating a dependency on systemd). The systemd service of the binary distribution has been adjusted accordingly. - Plugin ACL and alter hooks now have access to the expiration time and content type of the message, if set.
- Reduce stack memory requirements by 1 MB per thread.
Download
Downloads available and apt repository is updated.