[Touch-packages] [Bug 1835213] Re: CVE-2019-13132
Thanks Luca for all the help and contribution, the fix is released. Feel free to contact us in case of new issues. ** Changed in: zeromq3 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to zeromq3 in Ubuntu. https://bugs.launchpad.net/bugs/1835213 Title: CVE-2019-13132 Status in zeromq3 package in Ubuntu: Fix Released Bug description: Dear Security Team, I am the upstream maintainer of libzmq/zeromq - https://github.com/zeromq/libzmq CVE-2019-13132 has been reported privately, and I have confirmed it is not only valid but quite bad (TM). The bug allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/authentication. Arbitrary data sent by the client will overwrite the stack, so although the reporter didn't provide a specific exploit, it is entirely possible that a crafty attacker could take advantage of this vulnerability to do more than "just" crash the server. The bug affects all libzmq/zeromq releases from 4.0.0 onward. Any server running with CURVE encryption/authentication is vulnerable. Due to the severity, I have not yet published the details on the CVE or the issue tracker, and would like to do a release before it is disclosed, to let the fix percolate in all distros. The proposed plan is as follows: I will release upstream versions 4.3.2, 4.1.7 and 4.0.9 on Monday the 8th of July at 16:00 UTC. I would kindly ask to hold on publishing the security updates with the attached patches until the above time&date or later, as your schedule&availability permits, if possible. The CVE details and the upstream issue tracker will then be published a week later, on the 15th. The per-version patches cover the following distro releases: xenial 4.1.4 bionic 4.2.5 cosmic 4.2.5 disco 4.3.1 Thank you for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1835213/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835213] Re: CVE-2019-13132
Hello, I have made the report public. The issue has been posted to oss- security, and the upstream releases are in progress and will be available in a few minutes. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to zeromq3 in Ubuntu. https://bugs.launchpad.net/bugs/1835213 Title: CVE-2019-13132 Status in zeromq3 package in Ubuntu: In Progress Bug description: Dear Security Team, I am the upstream maintainer of libzmq/zeromq - https://github.com/zeromq/libzmq CVE-2019-13132 has been reported privately, and I have confirmed it is not only valid but quite bad (TM). The bug allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/authentication. Arbitrary data sent by the client will overwrite the stack, so although the reporter didn't provide a specific exploit, it is entirely possible that a crafty attacker could take advantage of this vulnerability to do more than "just" crash the server. The bug affects all libzmq/zeromq releases from 4.0.0 onward. Any server running with CURVE encryption/authentication is vulnerable. Due to the severity, I have not yet published the details on the CVE or the issue tracker, and would like to do a release before it is disclosed, to let the fix percolate in all distros. The proposed plan is as follows: I will release upstream versions 4.3.2, 4.1.7 and 4.0.9 on Monday the 8th of July at 16:00 UTC. I would kindly ask to hold on publishing the security updates with the attached patches until the above time&date or later, as your schedule&availability permits, if possible. The CVE details and the upstream issue tracker will then be published a week later, on the 15th. The per-version patches cover the following distro releases: xenial 4.1.4 bionic 4.2.5 cosmic 4.2.5 disco 4.3.1 Thank you for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1835213/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
