FS#42381 - [zeromq] CVE-2014-7202 CVE-2014-7203 man-in-the-middle

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Tuesday, 14 October 2014, 23:45 GMT
Last edited by Kyle Keen (keenerd) - Wednesday, 15 October 2014, 02:32 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Kyle Keen (keenerd)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hello,

zeromq <= 4.0.4 is vulnerable to man-in-the-middle [0][1][2].

It was discovered that zeromq had multiple issues resulting in possible man-in-the-middle and replay attacks.

A fix for this flaw has been commited upstream [3] so it is recommended to upgrade to 4.0.5.

[0] http://seclists.org/oss-sec/2014/q3/776
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7202
[2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7203
[3] https://raw.githubusercontent.com/zeromq/zeromq4-x/master/NEWS
This task depends upon

Closed by  Kyle Keen (keenerd)
Wednesday, 15 October 2014, 02:32 GMT
Reason for closing:  Fixed
Additional comments about closing:  zeromq-4.0.5-1
Comment by Kyle Keen (keenerd) - Wednesday, 15 October 2014, 00:42 GMT
Unfortunately the zmq devs have decided that this security update requires breaking sonames, going from libzmq.so.3.1.0 to libzmq.so.4.0.0. Means that I can't simply update the package, instead it must go through [staging] and everything that links zeromq must be rebuilt.

Thankfully there are only four packages that link zeromq and I maintain three of them. Fontforge is the fourth, and it is in [extra] so I can't do anything about it. Already contacted Vesath (Bisson) about that.
Comment by Kyle Keen (keenerd) - Wednesday, 15 October 2014, 02:31 GMT
Okay, all done. Much thanks to the devs Bisson, Falconindy and Foutrelis.

Loading...