Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 May 2015 16:49:08 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: oss-security@...ts.openwall.com
Cc: zeromq-dev@...ts.zeromq.org
Subject: CVE Request: zeromq downgrade attack

[ CCing upstream mailing list ]

Hello,

From https://github.com/zeromq/libzmq/issues/1273 :

> It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a
> ZMTP v2 or earlier header. The library accepts such connections without
> applying its security mechanism.
> 
> Solution: if security is defined on a socket, reject all V2 and earlier
> connections, unconditionally.

A patch for the zeromq 4.0.x stable series is available at
https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51

AFAICT no CVE has been assigned (or requested) for this, and the issue has
been public since December of last year.

Could a CVE be assigned please?

Cheers

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ