Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523850 (CVE-2014-7202) - <net-libs/zeromq-4.0.5 && >=net-libs/zeromq-4.0.0: two vulnerabilities (CVE-2014-7202)
Summary: <net-libs/zeromq-4.0.5 && >=net-libs/zeromq-4.0.0: two vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2014-7202
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on: 539440
Blocks:
  Show dependency tree
 
Reported: 2014-09-27 09:32 UTC by Agostino Sarubbo
Modified: 2015-02-11 14:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-27 09:32:26 UTC
From ${URL} :

Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other
party's security handshake properly, allowing a man-in-the-middle
downgrade attack. 
Code commit: https://github.com/zeromq/libzmq/issues/1190

Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a
uniqueness check on connection nonces, and the CurveZMQ RFC was
ambiguous about nonce validation. This allowed replay attacks.
Code commit: https://github.com/zeromq/libzmq/issues/1191

Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released.



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-02-11 10:28:21 UTC
+*zeromq-4.0.5 (11 Feb 2015)
+
+  11 Feb 2015; Justin Lecher <jlec@gentoo.org> +zeromq-4.0.5.ebuild,
+  -zeromq-3.2.4-r1.ebuild, -zeromq-4.0.1-r1.ebuild, -zeromq-4.0.1.ebuild,
+  -zeromq-4.0.4-r1.ebuild, metadata.xml:
+  Version Bump, #539440; drop old, fixes two security problems, #523850; Add
+  SLOT operators, #511526; improve USE description, #507948
+

Bumped and all vulnerable versions removed.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-11 14:45:55 UTC
Thanks. No stable version affected, closing noglsa