[zeromq-announce] CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients

Luca Boccassi luca.boccassi at gmail.com
Mon Sep 7 18:33:54 CEST 2020


Hello,

A security vulnerability has been found in libzmq/zeromq.

* CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message. Handshakes complete successfully, and messages are delivered to
  the library, but the server application never receives them.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

The following upstream releases fixes the issue and will be shortly
available:

https://github.com/zeromq/libzmq/releases/tag/v4.3.3

https://github.com/zeromq/zeromq4-x/releases/tag/v4.0.10

https://github.com/zeromq/zeromq4-1/releases/tag/v4.1.8


Individual backported patches can be found on the upstream bug tracker,
and have been sent separately to the security teams of various
distributions:

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-announce/attachments/20200907/fcd08ac5/attachment.sig>


More information about the zeromq-announce mailing list