openSUSE Security Update: Security update for zeromq ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1493-1 Rating: moderate References: #898917 Cross-References: CVE-2014-7202 CVE-2014-7203 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: zeromq was updated to version 4.0.5 to fix two security issues and various other bugs. These security issues were fixed: - Did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack (CVE-2014-7202). - Did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks (CVE-2014-7203). Other issues fixed in this update: - CURVE mechanism does not verify short term nonces. - stream_engine is vulnerable to downgrade attacks. - assertion failure for WSAENOTSOCK on Windows. - race condition while connecting inproc sockets. - bump so library number to 4.0.0 - assertion failed: !more (fq.cpp:99) after many ZAP requests. - lost first part of message over inproc://. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-713 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libzmq4-4.0.5-3.6.2 libzmq4-debuginfo-4.0.5-3.6.2 zeromq-debugsource-4.0.5-3.6.2 zeromq-devel-4.0.5-3.6.2 References: http://support.novell.com/security/cve/CVE-2014-7202.html http://support.novell.com/security/cve/CVE-2014-7203.html https://bugzilla.suse.com/show_bug.cgi?id=898917