Hi, I already provided patches for the main LTS distributions that ship older affected versions.
For users doing their own deployments, there is no reason to hold back. 4.3.1 is fully API and ABI compatible all the way back to 4.1.x, there were no major changes. Therefore I am not going to fork 4.2.x in the upstream repository. If users want to manually patch older versions, the one-line patches I prepared can be found on the following bug trackers: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 (4.2.1) https://bugs.launchpad.net/suse/+source/zeromq/+bug/1811531 (4.2.5) https://bugzilla.opensuse.org/show_bug.cgi?id=1121717 (4.2.2 and 4.2.3) On Sat, 2019-01-12 at 15:23 -0500, Trevor Bernard wrote: > Is would be prudent to also back port that RCE fix to 4.2.x > > -Trev > > On Sat, Jan 12, 2019 at 1:44 PM Luca Boccassi <[email protected] > m> wrote: > > > > Hi, > > > > Please note that a remote execution vulnerability has been > > uncovered, > > it affects all versions of libzmq from 4.2.0 up to and including > > 4.3.0. > > > > Users deploying with ASLR and/or CURVE/GSSAPI are not affected. > > Deployments of public endpoints without any of those mitigations > > are > > strongly encouraged to update as soon as possible. > > > > See release announcement for details and links: > > > > https://lists.zeromq.org/pipermail/zeromq-announce/2019-January/000 > > 058.html > > > > -- > > Kind regards, > > Luca Boccassi_______________________________________________ > > zeromq-dev mailing list > > [email protected] > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
