Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

ZeroMQ: Denial of service — GLSA 202009-12

A vulnerability in ZeroMQ could lead to a Denial of Service condition.

Affected packages

Package net-libs/zeromq on all architectures
Affected versions < 4.3.3
Unaffected versions >= 4.3.3

Background

Looks like an embeddable networking library but acts like a concurrency framework.

Description

It was discovered that ZeroMQ does not properly handle connecting peers before a handshake is completed.

Impact

An unauthenticated remote attacker able to connect to a ZeroMQ endpoint, even with CURVE encryption/authentication enabled, can cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All ZeroMQ users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.3"

References

Release date
September 13, 2020

Latest revision
September 13, 2020: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries