Bug ID 1121717
Summary zeromq: remote execution vulnerability
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.3
Hardware All
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter luca.boccassi@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 794269 [details]
patch for 4.2.1 and 4.2.3

Dear Maintainer,

A remote execution vulnerability has been reported in zeromq. Full details can
be found on the upstream issue tracker [1].

The issue is fixed in upstream version v4.3.1, just released, or with the
attached patch for 4.2.3 (leap 15) and 4.2.2 (leap 42) (applies cleanly on
both).
This issue has been introduced in 4.2.0 so SLES 12 is not affected.

The latest version will hopefully arrive in disco via debian unstable soon, but
I would recommend patching older releases.

As mentioned in the upstream tracker and the changelog, the issue can be
mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware
no CVEs have been assigned nor have been requested as of now.

You are receiving this mail because: