A security vulnerability has been found in libzmq/zeromq.
CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
The following upstream releases fix the issue:
Individual backported patches can be found on the upstream bug tracker,
and have been sent separately to the security teams of various
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <email@example.com>
AuthorDate: 2020-09-07 22:02:55 +0000
Commit: Thomas Deutschmann <firstname.lastname@example.org>
CommitDate: 2020-09-07 22:05:57 +0000
net-libs/zeromq: bump to v4.3.3
Package-Manager: Portage-3.0.5, Repoman-3.0.1
Signed-off-by: Thomas Deutschmann <email@example.com>
net-libs/zeromq/Manifest | 1 +
net-libs/zeromq/zeromq-4.3.3.ebuild | 61 +++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202009-12 at https://security.gentoo.org/glsa/202009-12
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
Please stabilize amd64.
all arches done