Launchpad has imported 1 comments from the remote bug at https://bugzilla.opensuse.org/show_bug.cgi?id=1121717.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2019-01-12T17:40:09+00:00 Luca Boccassi wrote: Created attachment 794269 patch for 4.2.2 and 4.2.3 Dear Maintainer, A remote execution vulnerability has been reported in zeromq. Full details can be found on the upstream issue tracker [1]. The issue is fixed in upstream version v4.3.1, just released, or with the attached patch for 4.2.3 (leap 15) and 4.2.2 (leap 42) (applies cleanly on both). This issue has been introduced in 4.2.0 so SLES 12 is not affected. The latest version will hopefully arrive in disco via debian unstable soon, but I would recommend patching older releases. As mentioned in the upstream tracker and the changelog, the issue can be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware no CVEs have been assigned nor have been requested as of now. Reply at: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1811531/comments/3 ** Changed in: zeromq (Suse) Status: Unknown => Confirmed ** Changed in: zeromq (Suse) Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811531 Title: remote execution vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1811531/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
