Mailinglist Archive: opensuse-updates (114 mails)

< Previous Next >
openSUSE-SU-2014:1493-1: moderate: Security update for zeromq
openSUSE Security Update: Security update for zeromq
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1493-1
Rating: moderate
References: #898917
Cross-References: CVE-2014-7202 CVE-2014-7203
Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

zeromq was updated to version 4.0.5 to fix two security issues and various
other bugs.

These security issues were fixed:
- Did not validate the other party's security handshake properly, allowing
a man-in-the-middle downgrade attack (CVE-2014-7202).
- Did not implement a uniqueness check on connection nonces, and the
CurveZMQ RFC was ambiguous about nonce validation. This allowed replay
attacks (CVE-2014-7203).

Other issues fixed in this update:
- CURVE mechanism does not verify short term nonces.
- stream_engine is vulnerable to downgrade attacks.
- assertion failure for WSAENOTSOCK on Windows.
- race condition while connecting inproc sockets.
- bump so library number to 4.0.0
- assertion failed: !more (fq.cpp:99) after many ZAP requests.
- lost first part of message over inproc://.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2014-713

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (i586 x86_64):

libzmq4-4.0.5-3.6.2
libzmq4-debuginfo-4.0.5-3.6.2
zeromq-debugsource-4.0.5-3.6.2
zeromq-devel-4.0.5-3.6.2


References:

http://support.novell.com/security/cve/CVE-2014-7202.html
http://support.novell.com/security/cve/CVE-2014-7203.html
https://bugzilla.suse.com/show_bug.cgi?id=898917


< Previous Next >
This Thread
  • No further messages