If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange any
message. Handshakes complete successfully, and messages are delivered to the
library, but the server application never receives them (CVE-2020-15166).
Also, the cppzmq package has been rebuilt against the updated zeromq library.
- https://bugs.mageia.org/show_bug.cgi?id=27256
- https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
- https://www.cve.org/CVERecord?id=CVE-2020-15166
- 7/core/zeromq-4.3.3-1.1.mga7
- 7/core/cppzmq-4.3.0-2.2.mga7
Get the latest Linux and open source security news straight to your inbox.