This is really the last formal release ver of 0.24 now, including several security fixes and a major new feature--- nng_bridge. Now the users of NNG can use NanoMQ to work as the bridge between Nanomsg Next-gen and MQTT ecosystem, just by configuration, no need to add one more proxy process.
AI composed change log:
We are thrilled to announce the release of NanoMQ v0.24.14!
This version represents a major milestone in NanoMQ's robustness. Thanks to extensive fuzzing and rigorous code audits, we have patched several critical memory safety vulnerabilities. Alongside these security consolidations, we are introducing a brand-new offline message cache, NNG Pub/Sub bridging, and enhanced REST API querying capabilities.
Upgrade is highly recommended for all users.
π New Features & Enhancements
Offline Message Cache: Introduced a new offline message caching mechanism to improve data reliability for disconnected clients.
NNG Pub/Sub Bridging: Added full support for NNG Pub/Sub bridging capabilities across both NanoMQ and NanoNNG.
REST API Upgrades: The GET /api/v4/clients endpoint now supports multi-condition querying, giving you more granular control over client monitoring.
CLI Enhancements: nanomq_cli now fully supports Will Properties for MQTT v5 client options.
π‘οΈ Security & Stability
This release resolves several high-severity vulnerabilities and edge-case crashes, making the broker more resilient against malformed packets and malicious payloads:
Pre-Auth Memory Safety: Fixed a critical memory corruption/integer underflow bug in the HTTP basic_authorize API.
MQTTv5 Parser Hardening:
Fixed a Double Free vulnerability in nni_mqtt_msg_decode_subscribe().
Fixed a NULL pointer dereference (SEGV) in nni_mqttv5_msg_decode_connect().
Patched multiple Heap Use-After-Free (UAF) bugs related to connection parameters and properties.
HTTP API: Fixed an out-of-bounds bug in the HTTP post_msg API discovered via fuzzing.
Safety Consolidation: Deployed multiple new boundary checkers and safety guards throughout the NanoNNG core.
π Bug Fixes & Optimizations
Webhook: Fixed memory leaks that could occur during Webhook execution.
QUIC: Fixed a type confusion issue triggered when closing QUIC dialers (nni_quic_dialer_close).
Bridging: Added the missing SNI parameter to the bridge configuration parser.
Codec Performance: Optimized property decoding logic by adding a tail node, significantly reducing complexity.
Housekeeping: Removed obsolete code, cleaned up redundant logging, and added new internal flags.
What's Changed in NanoMQ
- Support multi-condition query for rest api
GET /api/v4/clientsby @alvin1221 in #2294 - safety consolidation by @JaylinYu in #2299
- FEAT [nanomq_cli] add support for will properties in MQTT V5 client options by @alvin1221 in #2301
- new feature for nng bridging of pub/sub by @JaylinYu in #2297
- Fix webhook memory leaks by @alvin1221 in #2306
- Fix an outbound bug found by fuzzing in HTTP post_msg API by @JaylinYu in #2307
- security fixes by @JaylinYu in #2308
- fix a memory corruption bug of basic_authorize by @JaylinYu in #2309
- new offline msg cache by @JaylinYu in #2312
Full Changelog: 0.24.13...0.24.14
What's Changed in NanoNNG
-
- MDF [conf] add missing sni param in bridge conf by @JaylinYu in nanomq/NanoNNG#1498
- Fix a heap use-after-free bug of conn_param by @JaylinYu in nanomq/NanoNNG#1500
- UAF bug fix by @JaylinYu in nanomq/NanoNNG#1503
- Fix double free in
nni_mqtt_msg_decode_subscribe()by @alvin1221 in nanomq/NanoNNG#1505 -
- FIX [mqtt_codec] add tail node to reduce complexity of property dec⦠by @JaylinYu in nanomq/NanoNNG#1508
- new feature: nng pub/sub bridging by @JaylinYu in nanomq/NanoNNG#1506
- FIX
SEGV on unknown addressinnni_mqttv5_msg_decode_connect()by @alvin1221 in nanomq/NanoNNG#1509 -
- FIX [quic] Fixed the type confusion when nni_quic_dialer_close. by @wanghaEMQ in nanomq/NanoNNG#1512
- multiple safe checkers added by @JaylinYu in nanomq/NanoNNG#1518
- just remove one tiny line of logging..... by @JaylinYu in nanomq/NanoNNG#1522
- rm obsolated code & add new flag by @JaylinYu in nanomq/NanoNNG#1528
Full Changelog: nanomq/NanoNNG@0.24.13...0.24.14