A vulnerability in ZeroMQ could lead to a Denial of Service condition.
Package | net-libs/zeromq on all architectures |
---|---|
Affected versions | < 4.3.3 |
Unaffected versions | >= 4.3.3 |
Looks like an embeddable networking library but acts like a concurrency framework.
It was discovered that ZeroMQ does not properly handle connecting peers before a handshake is completed.
An unauthenticated remote attacker able to connect to a ZeroMQ endpoint, even with CURVE encryption/authentication enabled, can cause a Denial of Service condition.
There is no known workaround at this time.
All ZeroMQ users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.3"
Release date
September 13, 2020
Latest revision
September 13, 2020: 1
Severity
normal
Exploitable
local, remote
Bugzilla entries