Security update for zeromq SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1907-1 Final 1 1 2020-11-13T13:26:15Z current 2020-11-13T13:26:15Z 2020-11-13T13:26:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zeromq This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1907 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZFPGMWNYFF7TPILP2K22BE5SUUBZBMNS/ E-Mail link for openSUSE-SU-2020:1907-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1176116 SUSE Bug 1176116 https://bugzilla.suse.com/1176256 SUSE Bug 1176256 https://bugzilla.suse.com/1176257 SUSE Bug 1176257 https://bugzilla.suse.com/1176258 SUSE Bug 1176258 https://bugzilla.suse.com/1176259 SUSE Bug 1176259 https://www.suse.com/security/cve/CVE-2020-15166/ SUSE CVE CVE-2020-15166 page openSUSE Leap 15.1 libunwind-1.2.1-lp151.4.3.1 libunwind-32bit-1.2.1-lp151.4.3.1 libunwind-devel-1.2.1-lp151.4.3.1 libzmq5-4.2.3-lp151.5.6.1 zeromq-devel-4.2.3-lp151.5.6.1 zeromq-tools-4.2.3-lp151.5.6.1 libunwind-1.2.1-lp151.4.3.1 as a component of openSUSE Leap 15.1 libunwind-32bit-1.2.1-lp151.4.3.1 as a component of openSUSE Leap 15.1 libunwind-devel-1.2.1-lp151.4.3.1 as a component of openSUSE Leap 15.1 libzmq5-4.2.3-lp151.5.6.1 as a component of openSUSE Leap 15.1 zeromq-devel-4.2.3-lp151.5.6.1 as a component of openSUSE Leap 15.1 zeromq-tools-4.2.3-lp151.5.6.1 as a component of openSUSE Leap 15.1 In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3. CVE-2020-15166 openSUSE Leap 15.1:libunwind-1.2.1-lp151.4.3.1 openSUSE Leap 15.1:libunwind-32bit-1.2.1-lp151.4.3.1 openSUSE Leap 15.1:libunwind-devel-1.2.1-lp151.4.3.1 openSUSE Leap 15.1:libzmq5-4.2.3-lp151.5.6.1 openSUSE Leap 15.1:zeromq-devel-4.2.3-lp151.5.6.1 openSUSE Leap 15.1:zeromq-tools-4.2.3-lp151.5.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZFPGMWNYFF7TPILP2K22BE5SUUBZBMNS/ https://www.suse.com/security/cve/CVE-2020-15166.html CVE-2020-15166 https://bugzilla.suse.com/1176116 SUSE Bug 1176116