From https://github.com/zeromq/libzmq/issues/1273 : It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism. Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally. A patch for the zeromq 4.0.x stable series is available at https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 Source: http://seclists.org/oss-sec/2015/q2/387 Debian issued DSA-3255-1 (https://www.debian.org/security/2015/dsa-3255.html) Reproducible: Always
+ 04 Jun 2015; Justin Lecher <jlec@gentoo.org> -zeromq-4.0.5.ebuild: + Drop vulnerable version, bug #549182 + Tree is clean again.
Am I understanding it correctly that this functionality was introduced in the 4.x series and as such the stable 3.2 series is not affected?
(In reply to Kristian Fiskerstrand from comment #2) > Am I understanding it correctly that this functionality was introduced in > the 4.x series and as such the stable 3.2 series is not affected? That's how I understand it. I asked upstream for confirmation. Nevertheless I already asked for stabilization of version 4 too.
(In reply to Justin Lecher from comment #3) > That's how I understand it. I asked upstream for confirmation. Upstream confirmed that only version 4 was and could be vulnerable.
CVE-2014-9721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9721): libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attackers to conduct downgrade attacks and bypass ZMPT v3 protocol security mechanisms via a ZMTP v2 or earlier header.
GLSA Vote: No
