[zeromq-dev] Remote code execution in libzmq 4.2.0 -> 4.3.0
Luca Boccassi
luca.boccassi at gmail.com
Sun Jan 13 12:02:42 CET 2019
Hi,
I already provided patches for the main LTS distributions that ship
older affected versions.
For users doing their own deployments, there is no reason to hold back.
4.3.1 is fully API and ABI compatible all the way back to 4.1.x, there
were no major changes. Therefore I am not going to fork 4.2.x in the
upstream repository.
If users want to manually patch older versions, the one-line patches I
prepared can be found on the following bug trackers:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 (4.2.1)
https://bugs.launchpad.net/suse/+source/zeromq/+bug/1811531 (4.2.5)
https://bugzilla.opensuse.org/show_bug.cgi?id=1121717 (4.2.2 and 4.2.3)
On Sat, 2019-01-12 at 15:23 -0500, Trevor Bernard wrote:
> Is would be prudent to also back port that RCE fix to 4.2.x
>
> -Trev
>
> On Sat, Jan 12, 2019 at 1:44 PM Luca Boccassi <luca.boccassi at gmail.co
> m> wrote:
> >
> > Hi,
> >
> > Please note that a remote execution vulnerability has been
> > uncovered,
> > it affects all versions of libzmq from 4.2.0 up to and including
> > 4.3.0.
> >
> > Users deploying with ASLR and/or CURVE/GSSAPI are not affected.
> > Deployments of public endpoints without any of those mitigations
> > are
> > strongly encouraged to update as soon as possible.
> >
> > See release announcement for details and links:
> >
> > https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/000
> > 058.html
> >
> > --
> > Kind regards,
> > Luca Boccassi_______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20190113/54cf8f8f/attachment.sig>
More information about the zeromq-dev
mailing list