Re: [zeromq-dev] Remote code execution in libzmq 4.2.0 -> 4.3.0
On Sat, 2019-01-12 at 18:40 +, Luca Boccassi wrote: > Hi, > > Please note that a remote execution vulnerability has been uncovered, > it affects all versions of libzmq from 4.2.0 up to and including > 4.3.0. > > Users deploying with ASLR and/or CURVE/GSSAPI are not affected. > Deployments of public endpoints without any of those mitigations are > strongly encouraged to update as soon as possible. > > See release announcement for details and links: > > https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/5 > 8.html This issue has been assigned CVE-2019-6250. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Remote code execution in libzmq 4.2.0 -> 4.3.0
Hi, I already provided patches for the main LTS distributions that ship older affected versions. For users doing their own deployments, there is no reason to hold back. 4.3.1 is fully API and ABI compatible all the way back to 4.1.x, there were no major changes. Therefore I am not going to fork 4.2.x in the upstream repository. If users want to manually patch older versions, the one-line patches I prepared can be found on the following bug trackers: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 (4.2.1) https://bugs.launchpad.net/suse/+source/zeromq/+bug/1811531 (4.2.5) https://bugzilla.opensuse.org/show_bug.cgi?id=1121717 (4.2.2 and 4.2.3) On Sat, 2019-01-12 at 15:23 -0500, Trevor Bernard wrote: > Is would be prudent to also back port that RCE fix to 4.2.x > > -Trev > > On Sat, Jan 12, 2019 at 1:44 PM Luca Boccassi m> wrote: > > > > Hi, > > > > Please note that a remote execution vulnerability has been > > uncovered, > > it affects all versions of libzmq from 4.2.0 up to and including > > 4.3.0. > > > > Users deploying with ASLR and/or CURVE/GSSAPI are not affected. > > Deployments of public endpoints without any of those mitigations > > are > > strongly encouraged to update as soon as possible. > > > > See release announcement for details and links: > > > > https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/000 > > 058.html > > > > -- > > Kind regards, > > Luca Boccassi___ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Remote code execution in libzmq 4.2.0 -> 4.3.0
Is would be prudent to also back port that RCE fix to 4.2.x -Trev On Sat, Jan 12, 2019 at 1:44 PM Luca Boccassi wrote: > > Hi, > > Please note that a remote execution vulnerability has been uncovered, > it affects all versions of libzmq from 4.2.0 up to and including 4.3.0. > > Users deploying with ASLR and/or CURVE/GSSAPI are not affected. > Deployments of public endpoints without any of those mitigations are > strongly encouraged to update as soon as possible. > > See release announcement for details and links: > > https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/58.html > > -- > Kind regards, > Luca Boccassi___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Remote code execution in libzmq 4.2.0 -> 4.3.0
Hi, Please note that a remote execution vulnerability has been uncovered, it affects all versions of libzmq from 4.2.0 up to and including 4.3.0. Users deploying with ASLR and/or CURVE/GSSAPI are not affected. Deployments of public endpoints without any of those mitigations are strongly encouraged to update as soon as possible. See release announcement for details and links: https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/58.html -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev