Summary: | net-libs/zeromq-4.3.3: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients (CVE-2020-15166) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
net-libs/zeromq-4.3.3
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2020-09-05 20:10:51 UTC
A security vulnerability has been found in libzmq/zeromq. CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m The following upstream releases fix the issue: https://github.com/zeromq/libzmq/releases/tag/v4.3.3 https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10 https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8 Individual backported patches can be found on the upstream bug tracker, and have been sent separately to the security teams of various distributions: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af1aa5dda0985512c063560717852166af82e144 commit af1aa5dda0985512c063560717852166af82e144 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-09-07 22:02:55 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-09-07 22:05:57 +0000 net-libs/zeromq: bump to v4.3.3 Bug: https://bugs.gentoo.org/740574 Package-Manager: Portage-3.0.5, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-libs/zeromq/Manifest | 1 + net-libs/zeromq/zeromq-4.3.3.ebuild | 61 +++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) arm64 done x86 stable arm done sparc stable ppc64 stable hppa stable ppc stable New GLSA request filed. This issue was resolved and addressed in GLSA 202009-12 at https://security.gentoo.org/glsa/202009-12 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. Please stabilize amd64. amd64 done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef commit 01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-26 00:40:18 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-11-26 13:26:23 +0000 net-libs/zeromq: security cleanup Bug: https://bugs.gentoo.org/740574 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-libs/zeromq/Manifest | 3 -- net-libs/zeromq/zeromq-2.2.0.ebuild | 53 -------------------------------- net-libs/zeromq/zeromq-3.2.5.ebuild | 61 ------------------------------------- net-libs/zeromq/zeromq-4.3.2.ebuild | 61 ------------------------------------- profiles/package.deprecated | 4 --- 5 files changed, 182 deletions(-) Repository is clean, all done. |