[zeromq-announce] libzmq 4.0.10 has been released

Luca Boccassi luca.boccassi at gmail.com
Mon Sep 7 18:33:25 CEST 2020


Hello everyone,

The ZeroMQ community is proud to announce the release of version 4.0.10!

Please note that this release fixes several security bugs, one of which warranted a CVE:

* CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message. Handshakes complete successfully, and messages are delivered to
  the library, but the server application never receives them.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
* Stack overflow on server running PUB/XPUB socket (CURVE disabled).
  The PUB/XPUB subscription store (mtrie) is traversed using recursive
  function calls. In the remove (unsubscription) case, the recursive calls are
  NOT tail calls, so even with optimizations the stack grows linearly with the
  length of a subscription topic. Topics are under the control of remote
  clients - they can send a subscription to arbitrary length topics. An
  attacker can thus cause a server to create an mtrie sufficiently large such
  that, when unsubscribing, traversal will cause a stack overflow.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
* Memory leak in client induced by malicious server(s) without CURVE/ZAP.
  When a pipe processes a delimiter and is already not in active state but
  still has an unfinished message, the message is leaked.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87


New release:

https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10


Distributable tarball and zip files can be found on the above link,
together with the full changelog.

This is a patch release. This release is ABI compatible with libzmq
4.0.0 and up.

Please report any issues on the Github tracker.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-announce/attachments/20200907/60ca59f1/attachment.sig>


More information about the zeromq-announce mailing list