FlashMQ 1.26.1

FlashMQ 1.26.1 is bug-fix release.

Security fixes

• Fix division by zero crash in deferred retained message setting. This requires two config options to be set to non-default values: set_retained_message_defer_timeout_spread to zero and set_retained_message_defer_timeout to non-zero.

General fixes

• Check for invalid ‘receive max’, QoS, ‘retain available’, ‘shared subscription available’ and ‘max packet size’ values in CONNACK packets (like non-binary booleans or zero-values as maximums). When encountered, they constitute protocol errors and the client is disconnected. Being in CONNACK, this means it applied only to bridges to other servers.
• Check for invalid reason codes in PUBREC packets. This fixes protocol compliance by causing a disconnect, but doesn’t change any behavior.
• Fix increasing QoS quota on receiving a PUBACK, PUBREC or PUBCUMP with message ID that is not in transit.
• Fix checking MQTT5 property lengths not exceeding property sub-container. This fixes protocol compliance, but there was no integrity or security bug.
• Added various thread-safety checks to prevent future bugs.

See FlashMQ 1.26.1 released

FlashMQ 1.26.0

Security Fixes

• Malformed username data is now no longer logged. This fixes the possibility of creating fake log lines, by having newline characters in usernames.
• Fix signed integer bug in ‘receive max’, allowing a client to bypass the limit.

Security Enhancements

• Strings lengths (of usernames, topics, user properties, etc) are now constrained by the setting max_string_length, defaulting to 4096. Does not affect payload. Default was chosen to unlikely affect existing deployments.
• Maximum subtopic count is now constrained by setting max_topic_split_depth, defaulting to 128. Default was chosen to unlikely affect existing deployments.

Fixes

• Flow control value is now correctly increased by one on SUBACK, even if the SUBSCRIBE contained more than one topic filter.
• Fix bridge reconnection breaking when save_state_interval or plugin_timer_period was changed and a SIGHUP sent.
• Fix not closing delayed denied connections (denied by only_allow_from) when save_state_interval or plugin_timer_period was changed and a SIGHUP sent.

Enhancements

• Compilation is now done with all symbols hidden by default, only exposing API functions publicly, including exceptions. This fixes obscure errors when plugins and FlashMQ itself use symbols with the same name. It also reduces binary size and possibly optimizes code.
• Postpone creating listeners until all threads have initialized. Binding errors are still detected before that.
• Plugin has ability to defer thread readiness.
• Systemd’s sd_notify is used to signal readiness after initialization (without creating a dependency on systemd). The systemd service of the binary distribution has been adjusted accordingly.
• Plugin ACL and alter hooks now have access to the expiration time and content type of the message, if set.
• Reduce stack memory requirements by 1 MB per thread.

Download

Downloads available

FlashMQ 1.25.0

• Support reading the CN field as username from HAProxy headers when HAProxy does client verification.
• Allow plugin function flashmq_publish_message() from any thread in plugin, including custom ones.
• New config option log_publishes.
• Reduce log noise by downgrading frequent events from ERROR. The idea is that ERROR should be actual errors someone is interested in; not just misbehaving clients (which are normal).
• New version of function flashmq_continue_async_authentication_v4() with delay option.
• Fix recent bug where SSL clients are logged as non-SSL (like TCP/Websocket/Non-SSL (TLSv1.3).
• Don’t log non-MQTT clients as if they are. This avoids reporting things like ‘clean session’ on something that is not an MQTT client.
• Reduce heap memory fragmentation caused by frequent setting of retained messages.

Builds available

FlashMQ 1.24.0

Version 1.24.0 is mostly a maintenance release; no big new features added. Aside from some internal refactoring, there is:

• Same fixes from 1.23.1 and 1.23.3 releases.
• Add config option persistence_data_to_save to give more control over which data is saved.
• Fix showing 'server shutting down' in logs whether FlashMQ is client or server. It now properly only mentions 'server' when it's the server shutting down, local or remote.
• Fix marking any non-worker thread as 'main' in logs. Now the actual thread name is shown, also for threads created by the plugin.
• Reduce locking around client stores in even loops.
• Don't render 'subscribe' log lines when subscriptions are not configured to be logged. This saves overhead.
• Database files in storage_dir are now always created with strict permissions.

See FlashMQ 1.24.0 released.

FlashMQ 1.23.2

FlashMQ version 1.23.2 contains a security fix.

It was discovered that queuing QoS messages in sessions can cause a memory leak because of circularly tracked references. Version 1.23.2 fixes the issue. Upgrading is advised.

Downloads available and apt repositories updated

FlashMQ 1.23.1

Fixes reporting max QoS of 2 in MQTT 5 CONNACK packet. Only 0 or 1 is allowed by the standard.

Builds available

FlashMQ 1.23.0

Version 1.23.0 doesn’t contain any major changes, just some small improvements.

New features

• Ability to set user, group and access permissions on unix socket.
• Add max_qos setting.

Fixes and improvements

• When saving state files (sessions, retained messages, etc), disk space calculation incorrectly used a 32 bit int on 32 bit platforms. This could make FlashMQ skip making the backup of state files when the file format version changes (these backups are made to support downgrading).
• Somewhat improve mTLS (mutual, or client TLS) handshake performance. Caveat: a bottleneck was detected in OpenSSL here. Using OpenSSL 3.2 or higher (like Debian 13 does) is advised.
• A few small general quality improvements.

Download

Builds available

FlashMQ 1.22.0

New features

• Unix domain socket support has been added to listeners.
• Listeners can now have an acme_redirect_url for enhanced Let's Encrypt integration.
• Listeners now have an option drop_on_absent_certificate.
• Bridges now have a connection_count option for load-balancing.
• Bridges and listeners now have a max_buffer_size option.
• Listeners now have an only_allow_from and deny_from option.

Plugin changes

The function flashmq_get_client_address() has been replaced with flashmq_get_client_address_v4().

Release details

See FlashmQ 1.22.0 released for details and downloads.

FlashMQ 1.21.1

Version 1.21.1 fixes a crash bug introduced in version 1.19.0, caused by timed events. Upgrading is advised.

Builds available

FlashMQ 1.21.0

Version 1.21.0 offers more control over subscriptions from the plugin interface. Additionally, it includes a few fixes.

See the release page for version 1.21.0.