[zeromq-dev] CVE request: zeromq

rf at q-leap.de rf at q-leap.de
Fri Sep 26 15:46:13 CEST 2014


I've taken over CVE handling for zeromq. There were two issues fixed
recently. Could you please assign a CVE to them?

Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other
party's security handshake properly, allowing a man-in-the-middle
downgrade attack. 
Code commit: https://github.com/zeromq/libzmq/issues/1190

Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a
uniqueness check on connection nonces, and the CurveZMQ RFC was
ambiguous about nonce validation. This allowed replay attacks.
Code commit: https://github.com/zeromq/libzmq/issues/1191

Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released.



http://www.q-leap.com / http://qlustar.com
          --- HPC / Storage / Cloud Linux Cluster OS ---

More information about the zeromq-dev mailing list