[zeromq-dev] CVE request: zeromq
rf at q-leap.de
rf at q-leap.de
Fri Sep 26 15:46:13 CEST 2014
Hi,
I've taken over CVE handling for zeromq. There were two issues fixed
recently. Could you please assign a CVE to them?
Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other
party's security handshake properly, allowing a man-in-the-middle
downgrade attack.
Code commit: https://github.com/zeromq/libzmq/issues/1190
Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a
uniqueness check on connection nonces, and the CurveZMQ RFC was
ambiguous about nonce validation. This allowed replay attacks.
Code commit: https://github.com/zeromq/libzmq/issues/1191
Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released.
Thanks,
Roland
-------
http://www.q-leap.com / http://qlustar.com
--- HPC / Storage / Cloud Linux Cluster OS ---
More information about the zeromq-dev
mailing list