Mailinglist Archive: opensuse-updates (114 mails)

< Previous Next >
openSUSE-SU-2014:1493-1: moderate: Security update for zeromq
openSUSE Security Update: Security update for zeromq

Announcement ID: openSUSE-SU-2014:1493-1
Rating: moderate
References: #898917
Cross-References: CVE-2014-7202 CVE-2014-7203
Affected Products:
openSUSE 13.2

An update that fixes two vulnerabilities is now available.


zeromq was updated to version 4.0.5 to fix two security issues and various
other bugs.

These security issues were fixed:
- Did not validate the other party's security handshake properly, allowing
a man-in-the-middle downgrade attack (CVE-2014-7202).
- Did not implement a uniqueness check on connection nonces, and the
CurveZMQ RFC was ambiguous about nonce validation. This allowed replay
attacks (CVE-2014-7203).

Other issues fixed in this update:
- CURVE mechanism does not verify short term nonces.
- stream_engine is vulnerable to downgrade attacks.
- assertion failure for WSAENOTSOCK on Windows.
- race condition while connecting inproc sockets.
- bump so library number to 4.0.0
- assertion failed: !more (fq.cpp:99) after many ZAP requests.
- lost first part of message over inproc://.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2014-713

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 13.2 (i586 x86_64):



< Previous Next >
This Thread
  • No further messages