[zeromq-dev] Security downgrade attacks in 4.0.5, 4.1.0

Pieter Hintjens ph at imatix.com
Fri Dec 5 11:33:52 CET 2014


Yes, this should be in the RFC, that is a good idea. Thanks.

On Fri, Dec 5, 2014 at 11:30 AM, Doron Somech <somdoron at gmail.com> wrote:
> I think it is important to document all security issues(wiki or part of the
> rfc), mainly for other implementations of the protocol and to don't repeat
> the issues in the future.
>
> On Fri, Dec 5, 2014 at 10:13 AM, Pieter Hintjens <ph at imatix.com> wrote:
>>
>> Hi all,
>>
>> @MinRK reported and fixed a downgrade attack in the 4.0.5 stable
>> release of libzmq, and the 4.1.0 RC1. See
>> https://github.com/zeromq/libzmq/issues/1273.
>>
>> The fix is on libzmq master, and also on zeromq4-x and zeromq4-1 masters.
>>
>> When I get some confirmation that these two masters look OK, I'll make
>> new packages with the releases.
>>
>> For 4.1 RC2, if anyone has specific fixes to libzmq master they still
>> want to backport, please raise a hand, or make the usual pull
>> requests.
>>
>> Thanks,
>> -Pieter
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>



More information about the zeromq-dev mailing list