Date: Fri, 15 May 2015 15:44:53 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: oss-security@...ts.openwall.com, cve-assign@...re.org Cc: zeromq-dev@...ts.zeromq.org Subject: Re: CVE Request: zeromq downgrade attack On Thu, May 07, 2015 at 04:49:08PM +0200, Alessandro Ghedini wrote: > [ CCing upstream mailing list ] > > Hello, > > From https://github.com/zeromq/libzmq/issues/1273 : > > > It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a > > ZMTP v2 or earlier header. The library accepts such connections without > > applying its security mechanism. > > > > Solution: if security is defined on a socket, reject all V2 and earlier > > connections, unconditionally. > > A patch for the zeromq 4.0.x stable series is available at > https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 > > AFAICT no CVE has been assigned (or requested) for this, and the issue has > been public since December of last year. > > Could a CVE be assigned please? Ping? Cheers Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ