Bug 15878

Summary: zeromq new protocol downgrade attack security issue (CVE-2014-9721)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Barry Jackson <zen25000>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643919/
Whiteboard:
Source RPM: zeromq-4.0.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-07 17:39:15 CEST 
A CVE was requested for a security issue in zeromq 4.0.5:
http://openwall.com/lists/oss-security/2015/05/07/8

The upstream commit to fix the issue is linked in the message above.

Reproducible: 

Steps to Reproduce:
Comment 1 Barry Jackson 2015-05-08 17:18:22 CEST 
This issue is fixed in version 4.0.6 along with other bug fixes:

0MQ version 4.0.6 stable, released on 2015/12/xx
================================================

* Fixed #1273 - V3 protocol handler vulnerable to downgrade attacks.

* Fixed #1362 - SUB socket sometimes fails to resubscribe properly.

* Fixed #1377, #1144 - failed with WSANOTINITIALISED in some cases.

* Fixed #1389 - PUB, PUSH sockets had slow memory leak.

* Fixed #1382 - zmq_proxy did not terminate if there were no readers.

===============================================

I am updating to this version in svn and will ask for push of this and rebuild of gnuradio.
Comment 2 David Walser 2015-05-08 17:21:02 CEST 
Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.
Comment 3 Barry Jackson 2015-05-08 19:06:42 CEST 
Committed and asked for push - no need to rebuild gnuradio although I did bump release in svn.
Comment 4 Barry Jackson 2015-05-08 19:11:29 CEST 
(In reply to David Walser from comment #2)
> Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.

Well, it's not on the site as a tarball, but I made the tarball from git stable branch which has the above bug fixes and has the 4.0.6 version flag.
Comment 5 David Walser 2015-05-08 19:49:10 CEST 
(In reply to Barry Jackson from comment #4)
> (In reply to David Walser from comment #2)
> > Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.
> 
> Well, it's not on the site as a tarball, but I made the tarball from git
> stable branch which has the above bug fixes and has the 4.0.6 version flag.

Ahh, so perhaps it's not actually released yet.  Maybe use a 0.1 release tag, just in case?
Comment 6 Barry Jackson 2015-05-08 20:13:08 CEST 
To be clear, the snippet in #1 is from the NEWS in the tarball.
Comment 7 Barry Jackson 2015-05-08 21:03:20 CEST 
OK now 0.1 in svn as it may not actually be *final* 4.0.6.
Comment 8 David Walser 2015-05-10 21:39:20 CEST 
zeromq-4.0.6-0.1.mga5 uploaded for Cauldron.  Thanks Barry!

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2015-05-11 14:50:09 CEST 
Debian has issued an advisory for this on May 10:
https://www.debian.org/security/2015/dsa-3255
David Walser 2015-05-11 20:33:18 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643919/

Comment 10 David Walser 2015-05-21 17:49:35 CEST 
CVE-2014-9721 has been assigned:
http://openwall.com/lists/oss-security/2015/05/21/4

Summary: zeromq new protocol downgrade attack security issue => zeromq new protocol downgrade attack security issue (CVE-2014-9721)

Comment 11 David Walser 2015-06-01 23:49:38 CEST 
LWN reference with the CVE:
http://lwn.net/Vulnerabilities/646896/