[zeromq-announce] libzmq 4.3.2 has been released

Luca Boccassi luca.boccassi at gmail.com
Mon Sep 7 18:33:47 CEST 2020


Hello everyone,

The ZeroMQ community is proud to announce the release of version 4.3.3!

Please note that this release fixes several security bugs, one of which warranted a CVE:

* CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message. Handshakes complete successfully, and messages are delivered to
  the library, but the server application never receives them.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
* Stack overflow on server running PUB/XPUB socket (CURVE disabled).
  The PUB/XPUB subscription store (mtrie) is traversed using recursive
  function calls. In the remove (unsubscription) case, the recursive calls are
  NOT tail calls, so even with optimizations the stack grows linearly with the
  length of a subscription topic. Topics are under the control of remote
  clients - they can send a subscription to arbitrary length topics. An
  attacker can thus cause a server to create an mtrie sufficiently large such
  that, when unsubscribing, traversal will cause a stack overflow.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
* Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
  Messages with metadata are never processed by PUB sockets, but the metadata
  is kept referenced in the PUB object and never freed.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
* Memory leak in client induced by malicious server(s) without CURVE/ZAP.
  When a pipe processes a delimiter and is already not in active state but
  still has an unfinished message, the message is leaked.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
* Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
  By crafting a packet which is not valid ZMTP v2/v3, and which has two
  messages larger than 8192 bytes, the decoder can be tricked into changing
  the recorded size of the 8192 bytes static buffer, which then gets overflown
  by the next message. The content that gets written in the overflown memory
  is entirely decided by the sender.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6


New release:

https://github.com/zeromq/libzmq/releases/tag/v4.3.3


Distributable tarball and zip files can be found on the above link,
together with the full changelog.

Binary packages for the most common Linux distros and architectures can
be found here, for DEB and RPM respectively:

http://software.opensuse.org/download.html?project=network%3Amessaging%3Azeromq%3Arelease-stable&package=libzmq3-dev


http://software.opensuse.org/download.html?project=network%3Amessaging%3Azeromq%3Arelease-stable&package=zeromq-devel


This is a patch release. This release is ABI compatible with libzmq
4.1.2 and up.

Please report any issues on the Github tracker.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-announce/attachments/20200907/98730ca1/attachment.sig>


More information about the zeromq-announce mailing list