Date: Mon, 11 May 2015 07:13:20 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: zeromq-dev@...ts.zeromq.org, CVE Assignments MITRE <cve-assign@...re.org> Subject: Re: CVE Request: zeromq downgrade attack Hi, On Thu, May 07, 2015 at 04:49:08PM +0200, Alessandro Ghedini wrote: > [ CCing upstream mailing list ] > > Hello, > > From https://github.com/zeromq/libzmq/issues/1273 : > > > It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a > > ZMTP v2 or earlier header. The library accepts such connections without > > applying its security mechanism. > > > > Solution: if security is defined on a socket, reject all V2 and earlier > > connections, unconditionally. > > A patch for the zeromq 4.0.x stable series is available at > https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 > > AFAICT no CVE has been assigned (or requested) for this, and the issue has > been public since December of last year. > > Could a CVE be assigned please? For reference, an update for this issue has been released yesterday in Debian as https://lists.debian.org/debian-security-announce/2015/msg00144.html Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ