openSUSE Security Update: zeromq ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1381-1 Rating: moderate References: #898917 Cross-References: CVE-2014-7202 CVE-2014-7203 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This udpate for zeromq fixes the following non-security and security-issues: Update to version 4.0.4, for a detailed description see /usr/share/doc/packages/zeromq-devel/NEWS - Add libsodium dep for testsuite where possible - Version bump to 4.0.5 fixes bnc#898917 CVE-2014-7202 and CVE-2014-7203: * Fixed CURVE mechanism does not verify short term nonces. * Fixed stream_engine is vulnerable to downgrade attacks. * Fixed assertion failure for WSAENOTSOCK on Windows. * Fixed race condition while connecting inproc sockets. * Fixed bump so library number to 4.0.0 * Fixed assertion failed: !more (fq.cpp:99) after many ZAP requests. * Fixed lost first part of message over inproc://. * Fixed keep-alive on Windows. - Enable tests. - Move to 'download_files' source service which is in better shap and easier to use Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-641 - openSUSE 12.3: zypper in -t patch openSUSE-2014-641 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libzmq4-4.0.5-4.4.3 libzmq4-debuginfo-4.0.5-4.4.3 zeromq-debugsource-4.0.5-4.4.3 zeromq-devel-4.0.5-4.4.3 - openSUSE 12.3 (i586 x86_64): libzmq4-4.0.5-2.4.2 libzmq4-debuginfo-4.0.5-2.4.2 zeromq-debugsource-4.0.5-2.4.2 zeromq-devel-4.0.5-2.4.2 References: http://support.novell.com/security/cve/CVE-2014-7202.html http://support.novell.com/security/cve/CVE-2014-7203.html https://bugzilla.suse.com/show_bug.cgi?id=898917