[zeromq-dev] Security downgrade attacks in 4.0.5, 4.1.0

Doron Somech somdoron at gmail.com
Fri Dec 5 11:30:17 CET 2014


I think it is important to document all security issues(wiki or part of the
rfc), mainly for other implementations of the protocol and to don't repeat
the issues in the future.

On Fri, Dec 5, 2014 at 10:13 AM, Pieter Hintjens <ph at imatix.com> wrote:

> Hi all,
>
> @MinRK reported and fixed a downgrade attack in the 4.0.5 stable
> release of libzmq, and the 4.1.0 RC1. See
> https://github.com/zeromq/libzmq/issues/1273.
>
> The fix is on libzmq master, and also on zeromq4-x and zeromq4-1 masters.
>
> When I get some confirmation that these two masters look OK, I'll make
> new packages with the releases.
>
> For 4.1 RC2, if anyone has specific fixes to libzmq master they still
> want to backport, please raise a hand, or make the usual pull
> requests.
>
> Thanks,
> -Pieter
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20141205/145d818a/attachment.htm>


More information about the zeromq-dev mailing list