oss-sec mailing list archives

Re: CVE Request: zeromq downgrade attack

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 11 May 2015 07:13:20 +0200

Hi,

On Thu, May 07, 2015 at 04:49:08PM +0200, Alessandro Ghedini wrote:

[ CCing upstream mailing list ]

Hello,

From https://github.com/zeromq/libzmq/issues/1273 :

It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a
ZMTP v2 or earlier header. The library accepts such connections without
applying its security mechanism.

Solution: if security is defined on a socket, reject all V2 and earlier
connections, unconditionally.


A patch for the zeromq 4.0.x stable series is available at
https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51

AFAICT no CVE has been assigned (or requested) for this, and the issue has
been public since December of last year.

Could a CVE be assigned please?


For reference, an update for this issue has been released yesterday in
Debian as
https://lists.debian.org/debian-security-announce/2015/msg00144.html

Regards,
Salvatore

Current thread:

CVE Request: zeromq downgrade attack Alessandro Ghedini (May 07)
- Re: CVE Request: zeromq downgrade attack Salvatore Bonaccorso (May 10)
- Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 15)
- Re: CVE Request: zeromq downgrade attack cve-assign (May 21)
  - Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 22)