Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <822f14305cc419ab1b2027fb88f1ca4c7b83c766.camel@debian.org>
Date: Mon, 07 Sep 2020 17:34:00 +0100
From: Luca Boccassi <bluca@...ian.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2020-15166: zeromq/libzmq: Denial-of-Service on
 CURVE/ZAP-protected servers by  unauthenticated clients

Hello,

A security vulnerability has been found in libzmq/zeromq.

CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

The following upstream releases fix the issue:

https://github.com/zeromq/libzmq/releases/tag/v4.3.3

https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10

https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8


Individual backported patches can be found on the upstream bug tracker,
and have been sent separately to the security teams of various
distributions:

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

-- 
Kind regards,
Luca Boccassi

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.