Date: Thu, 7 May 2015 16:49:08 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: oss-security@...ts.openwall.com Cc: zeromq-dev@...ts.zeromq.org Subject: CVE Request: zeromq downgrade attack [ CCing upstream mailing list ] Hello, From https://github.com/zeromq/libzmq/issues/1273 : > It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a > ZMTP v2 or earlier header. The library accepts such connections without > applying its security mechanism. > > Solution: if security is defined on a socket, reject all V2 and earlier > connections, unconditionally. A patch for the zeromq 4.0.x stable series is available at https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 AFAICT no CVE has been assigned (or requested) for this, and the issue has been public since December of last year. Could a CVE be assigned please? Cheers Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ