From ${URL} : Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack. Code commit: https://github.com/zeromq/libzmq/issues/1190 Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks. Code commit: https://github.com/zeromq/libzmq/issues/1191 Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
+*zeromq-4.0.5 (11 Feb 2015) + + 11 Feb 2015; Justin Lecher <jlec@gentoo.org> +zeromq-4.0.5.ebuild, + -zeromq-3.2.4-r1.ebuild, -zeromq-4.0.1-r1.ebuild, -zeromq-4.0.1.ebuild, + -zeromq-4.0.4-r1.ebuild, metadata.xml: + Version Bump, #539440; drop old, fixes two security problems, #523850; Add + SLOT operators, #511526; improve USE description, #507948 + Bumped and all vulnerable versions removed.
Thanks. No stable version affected, closing noglsa