Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Mageia: 2020-0367 Critical: Zeromq TCP Message Exchange Flaw

mageia
Calendar Grey September 15, 2020
Dist Mageia Esm H88
Mageia enhances zeromq to address the security vulnerability impacting TCP communication through CURVE/ZAP settings.
If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message

Summary

If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them (CVE-2020-15166).
Also, the cppzmq package has been rebuilt against the updated zeromq library.

References

- https://bugs.mageia.org/show_bug.cgi?id=27256

- https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

- https://www.cve.org/CVERecord?id=CVE-2020-15166

Resolution

SRPMS

- 7/core/zeromq-4.3.3-1.1.mga7

- 7/core/cppzmq-4.3.0-2.2.mga7

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 15 Sep 2020
URL: https://advisories.mageia.org/MGASA-2020-0367.html
Type: security
CVE: CVE-2020-15166

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here