oss-sec mailing list archives
Re: CVE Request: zeromq downgrade attack
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 11 May 2015 07:13:20 +0200
Hi, On Thu, May 07, 2015 at 04:49:08PM +0200, Alessandro Ghedini wrote:
[ CCing upstream mailing list ] Hello, From https://github.com/zeromq/libzmq/issues/1273 :It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism. Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally.A patch for the zeromq 4.0.x stable series is available at https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 AFAICT no CVE has been assigned (or requested) for this, and the issue has been public since December of last year. Could a CVE be assigned please?
For reference, an update for this issue has been released yesterday in Debian as https://lists.debian.org/debian-security-announce/2015/msg00144.html Regards, Salvatore
Current thread:
- CVE Request: zeromq downgrade attack Alessandro Ghedini (May 07)
- Re: CVE Request: zeromq downgrade attack Salvatore Bonaccorso (May 10)
- Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 15)
- Re: CVE Request: zeromq downgrade attack cve-assign (May 21)
- Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 22)