openSUSE Security Update: Security update for zeromq ______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1493-1 Rating: moderate References: #898917 Cross-References: CVE-2014-7202 CVE-2014-7203 Affected Products: openSUSE 13.2 ______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
zeromq was updated to version 4.0.5 to fix two security issues and various other bugs.
These security issues were fixed: - Did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack (CVE-2014-7202). - Did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks (CVE-2014-7203).
Other issues fixed in this update: - CURVE mechanism does not verify short term nonces. - stream_engine is vulnerable to downgrade attacks. - assertion failure for WSAENOTSOCK on Windows. - race condition while connecting inproc sockets. - bump so library number to 4.0.0 - assertion failed: !more (fq.cpp:99) after many ZAP requests. - lost first part of message over inproc://.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2014-713
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
libzmq4-4.0.5-3.6.2 libzmq4-debuginfo-4.0.5-3.6.2 zeromq-debugsource-4.0.5-3.6.2 zeromq-devel-4.0.5-3.6.2
References:
http://support.novell.com/security/cve/CVE-2014-7202.html http://support.novell.com/security/cve/CVE-2014-7203.html https://bugzilla.suse.com/show_bug.cgi?id=898917