Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 740574 (CVE-2020-15166)

Summary: net-libs/zeromq-4.3.3: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients (CVE-2020-15166)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
Whiteboard: B3 [glsa+ cve]
Package list:
net-libs/zeromq-4.3.3
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-05 20:10:51 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-07 21:42:03 UTC
A security vulnerability has been found in libzmq/zeromq.

CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

The following upstream releases fix the issue:

https://github.com/zeromq/libzmq/releases/tag/v4.3.3

https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10

https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8


Individual backported patches can be found on the upstream bug tracker,
and have been sent separately to the security teams of various
distributions:

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
Comment 2 Larry the Git Cow gentoo-dev 2020-09-07 22:06:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af1aa5dda0985512c063560717852166af82e144

commit af1aa5dda0985512c063560717852166af82e144
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-07 22:02:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-07 22:05:57 +0000

    net-libs/zeromq: bump to v4.3.3
    
    Bug: https://bugs.gentoo.org/740574
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/Manifest            |  1 +
 net-libs/zeromq/zeromq-4.3.3.ebuild | 61 +++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-08 04:07:45 UTC
arm64 done
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-08 15:58:17 UTC
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-08 15:58:30 UTC
arm done
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-10 07:47:55 UTC
sparc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-10 07:51:31 UTC
ppc64 stable
Comment 8 Rolf Eike Beer archtester 2020-09-10 19:54:55 UTC
hppa stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-12 17:48:16 UTC
ppc stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-12 19:59:05 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:43:46 UTC
This issue was resolved and addressed in
 GLSA 202009-12 at https://security.gentoo.org/glsa/202009-12
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-13 23:44:14 UTC
Re-opening for remaining architectures.
Comment 13 Tomáš Mózes 2020-09-17 05:37:39 UTC
Please stabilize amd64.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 19:51:21 UTC
amd64 done

all arches done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 20:05:03 UTC
Please cleanup.
Comment 16 Larry the Git Cow gentoo-dev 2020-11-26 13:26:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef

commit 01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-26 00:40:18 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-11-26 13:26:23 +0000

    net-libs/zeromq: security cleanup
    
    Bug: https://bugs.gentoo.org/740574
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/Manifest            |  3 --
 net-libs/zeromq/zeromq-2.2.0.ebuild | 53 --------------------------------
 net-libs/zeromq/zeromq-3.2.5.ebuild | 61 -------------------------------------
 net-libs/zeromq/zeromq-4.3.2.ebuild | 61 -------------------------------------
 profiles/package.deprecated         |  4 ---
 5 files changed, 182 deletions(-)
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-26 13:29:05 UTC
Repository is clean, all done.