|
1 | 1 | 0MQ version 4.3.x stable, released on 20xx/xx/xx |
2 | 2 | ================================================ |
3 | 3 |
|
| 4 | +* Security advisories: |
| 5 | + * CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by |
| 6 | + unauthenticated clients. |
| 7 | + If a raw TCP socket is opened and connected to an endpoint that is fully |
| 8 | + configured with CURVE/ZAP, legitimate clients will not be able to exchange |
| 9 | + any message. Handshakes complete successfully, and messages are delivered to |
| 10 | + the library, but the server application never receives them. |
| 11 | + For more information see the security advisory: |
| 12 | + https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m |
| 13 | + * Stack overflow on server running PUB/XPUB socket (CURVE disabled). |
| 14 | + The PUB/XPUB subscription store (mtrie) is traversed using recursive |
| 15 | + function calls. In the remove (unsubscription) case, the recursive calls are |
| 16 | + NOT tail calls, so even with optimizations the stack grows linearly with the |
| 17 | + length of a subscription topic. Topics are under the control of remote |
| 18 | + clients - they can send a subscription to arbitrary length topics. An |
| 19 | + attacker can thus cause a server to create an mtrie sufficiently large such |
| 20 | + that, when unsubscribing, traversal will cause a stack overflow. |
| 21 | + For more information see the security advisory: |
| 22 | + https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 |
| 23 | + * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP. |
| 24 | + Messages with metadata are never processed by PUB sockets, but the metadata |
| 25 | + is kept referenced in the PUB object and never freed. |
| 26 | + For more information see the security advisory: |
| 27 | + https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw |
| 28 | + * Memory leak in client induced by malicious server(s) without CURVE/ZAP. |
| 29 | + When a pipe processes a delimiter and is already not in active state but |
| 30 | + still has an unfinished message, the message is leaked. |
| 31 | + For more information see the security advisory: |
| 32 | + https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 |
| 33 | + * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled). |
| 34 | + By crafting a packet which is not valid ZMTP v2/v3, and which has two |
| 35 | + messages larger than 8192 bytes, the decoder can be tricked into changing |
| 36 | + the recorded size of the 8192 bytes static buffer, which then gets overflown |
| 37 | + by the next message. The content that gets written in the overflown memory |
| 38 | + is entirely decided by the sender. |
| 39 | + For more information see the security advisory: |
| 40 | + https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 |
| 41 | + |
4 | 42 | * Note for packagers: an external, self-contained sha1 library is now |
5 | 43 | included in the source tree under external/sha1/ - it is licensed |
6 | 44 | under BSD-3-Clause and thus it is fully compatible with libzmq's |
|
0 commit comments