| Bug ID | 931978 |
|---|---|
| Summary | VUL-0: CVE-2014-9721: zeromq: protocol downgrade attack on sockets using the ZMTP v3 protocol |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | 13.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Major |
| Priority | P5 - None |
| Component | Security |
| Assignee | tchvatal@suse.com |
| Reporter | abergmann@suse.com |
| QA Contact | qa-bugs@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
rh#1221666 ------------------------------------- It was discovered that zeromq, a lightweight messaging kernel, is susceptible to a protocol downgrade attack on sockets using the ZMTP v3 protocol. This could allow remote attackers to bypass ZMTP v3 security mechanisms by sending ZMTP v2 or earlier headers. CVE request: http://openwall.com/lists/oss-security/2015/05/07/8 Upstream bug report: https://github.com/zeromq/libzmq/issues/1273 Upstream fix: https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 ------------------------------------- References: https://bugzilla.redhat.com/show_bug.cgi?id=1221666 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9721 http://seclists.org/oss-sec/2015/q2/515 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9721.html