SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3264

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3264

Security update for zeromq

Type: security

Severity: moderate

Issued: 2020-11-10

Description:

This update for zeromq fixes the following issues:

- CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116).
- Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256)
- Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257)
- Fixed memory leak when processing PUB messages with metadata (bsc#1176259)
- Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258)

References

CVE: CVE-2020-15166
Bugzilla: 1176259 VUL-1: zeromq: libzmq - Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP
Bugzilla: 1176258 VUL-0: zeromq: libzmq - Stack overflow on server running PUB/XPUB socket (CURVE disabled)
Bugzilla: 1176257 VUL-1: zeromq: libzmq - Memory leak in client induced by malicious server(s) without CURVE/ZAP
Bugzilla: 1176256 VUL-0: zeromq: libzmq - Heap overflow when receiving malformed ZMTP v1 packets
Bugzilla: 1176116 VUL-0: EMBARGOED: CVE-2020-15166: zeromq: zeromq connects peer before handshake is completed

Packages

libunwind-1.2.1-4.2.3