Date: Fri, 26 Sep 2014 15:46:13 +0200 From: rf@...eap.de To: oss-security@...ts.openwall.com CC: zeromq-dev@...ts.zeromq.org Subject: CVE request: zeromq Hi, I've taken over CVE handling for zeromq. There were two issues fixed recently. Could you please assign a CVE to them? Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack. Code commit: https://github.com/zeromq/libzmq/issues/1190 Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks. Code commit: https://github.com/zeromq/libzmq/issues/1191 Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released. Thanks, Roland ------- http://www.q-leap.com / http://qlustar.com --- HPC / Storage / Cloud Linux Cluster OS ---
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.