oss-sec mailing list archives
CVE-2020-15166: zeromq/libzmq: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients
From: Luca Boccassi <bluca () debian org>
Date: Mon, 07 Sep 2020 17:34:00 +0100
Hello, A security vulnerability has been found in libzmq/zeromq. CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m The following upstream releases fix the issue: https://github.com/zeromq/libzmq/releases/tag/v4.3.3 https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10 https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8 Individual backported patches can be found on the upstream bug tracker, and have been sent separately to the security teams of various distributions: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE-2020-15166: zeromq/libzmq: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients Luca Boccassi (Sep 07)