oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: zeromq

From: rf () q-leap de
Date: Fri, 26 Sep 2014 15:46:13 +0200
Hi,

I've taken over CVE handling for zeromq. There were two issues fixed
recently. Could you please assign a CVE to them?

Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other
party's security handshake properly, allowing a man-in-the-middle
downgrade attack. 
Code commit: https://github.com/zeromq/libzmq/issues/1190

Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a
uniqueness check on connection nonces, and the CurveZMQ RFC was
ambiguous about nonce validation. This allowed replay attacks.
Code commit: https://github.com/zeromq/libzmq/issues/1191

Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released.

Thanks,

Roland

-------
http://www.q-leap.com / http://qlustar.com
          --- HPC / Storage / Cloud Linux Cluster OS ---
Previous By Date Next
Previous By Thread Next

Current thread: