Comment 1 Thomas Deutschmann (RETIRED) 2020-09-07 21:42:03 UTC

A security vulnerability has been found in libzmq/zeromq.

CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

The following upstream releases fix the issue:

https://github.com/zeromq/libzmq/releases/tag/v4.3.3

https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10

https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8


Individual backported patches can be found on the upstream bug tracker,
and have been sent separately to the security teams of various
distributions:

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

Comment 2 Larry the Git Cow 2020-09-07 22:06:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af1aa5dda0985512c063560717852166af82e144

commit af1aa5dda0985512c063560717852166af82e144
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-07 22:02:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-07 22:05:57 +0000

    net-libs/zeromq: bump to v4.3.3
    
    Bug: https://bugs.gentoo.org/740574
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/Manifest            |  1 +
 net-libs/zeromq/zeromq-4.3.3.ebuild | 61 +++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

Comment 3 Sam James 2020-09-08 04:07:45 UTC

arm64 done

Comment 4 Thomas Deutschmann (RETIRED) 2020-09-08 15:58:17 UTC

x86 stable

Comment 5 Sam James 2020-09-08 15:58:30 UTC

arm done

Comment 6 Sergei Trofimovich (RETIRED) 2020-09-10 07:47:55 UTC

sparc stable

Comment 7 Sergei Trofimovich (RETIRED) 2020-09-10 07:51:31 UTC

ppc64 stable

Comment 8 Rolf Eike Beer 2020-09-10 19:54:55 UTC

hppa stable

Comment 9 Sam James 2020-09-12 17:48:16 UTC

ppc stable

Comment 10 Thomas Deutschmann (RETIRED) 2020-09-12 19:59:05 UTC

New GLSA request filed.

Comment 11 GLSAMaker/CVETool Bot 2020-09-13 23:43:46 UTC

This issue was resolved and addressed in
 GLSA 202009-12 at https://security.gentoo.org/glsa/202009-12
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 12 Thomas Deutschmann (RETIRED) 2020-09-13 23:44:14 UTC

Re-opening for remaining architectures.

Please stabilize amd64.

Comment 14 Sam James 2020-09-19 19:51:21 UTC

amd64 done

all arches done

Comment 15 Sam James 2020-09-19 20:05:03 UTC

Please cleanup.

Comment 16 Larry the Git Cow 2020-11-26 13:26:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef

commit 01f5ad8ee1779baa0c5d4cee30c5eb09d7bc6aef
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-26 00:40:18 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-11-26 13:26:23 +0000

    net-libs/zeromq: security cleanup
    
    Bug: https://bugs.gentoo.org/740574
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/zeromq/Manifest            |  3 --
 net-libs/zeromq/zeromq-2.2.0.ebuild | 53 --------------------------------
 net-libs/zeromq/zeromq-3.2.5.ebuild | 61 -------------------------------------
 net-libs/zeromq/zeromq-4.3.2.ebuild | 61 -------------------------------------
 profiles/package.deprecated         |  4 ---
 5 files changed, 182 deletions(-)

Comment 17 Thomas Deutschmann (RETIRED) 2020-11-26 13:29:05 UTC

Repository is clean, all done.