15878 – zeromq new protocol downgrade attack security issue (CVE-2014-9721)

Bug 15878 - zeromq new protocol downgrade attack security issue (CVE-2014-9721)

Summary: zeromq new protocol downgrade attack security issue (CVE-2014-9721)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Barry Jackson
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/643919/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-05-07 17:39 CEST by David Walser
Modified:	2015-06-01 23:49 CEST (History)
CC List:	0 users

See Also:
Source RPM:	zeromq-4.0.5-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-05-07 17:39:15 CEST

A CVE was requested for a security issue in zeromq 4.0.5:
http://openwall.com/lists/oss-security/2015/05/07/8

The upstream commit to fix the issue is linked in the message above.

Reproducible: 

Steps to Reproduce:

Comment 1 Barry Jackson 2015-05-08 17:18:22 CEST

This issue is fixed in version 4.0.6 along with other bug fixes:

0MQ version 4.0.6 stable, released on 2015/12/xx
================================================

* Fixed #1273 - V3 protocol handler vulnerable to downgrade attacks.

* Fixed #1362 - SUB socket sometimes fails to resubscribe properly.

* Fixed #1377, #1144 - failed with WSANOTINITIALISED in some cases.

* Fixed #1389 - PUB, PUSH sockets had slow memory leak.

* Fixed #1382 - zmq_proxy did not terminate if there were no readers.

===============================================

I am updating to this version in svn and will ask for push of this and rebuild of gnuradio.

Comment 2 David Walser 2015-05-08 17:21:02 CEST

Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.

Comment 3 Barry Jackson 2015-05-08 19:06:42 CEST

Committed and asked for push - no need to rebuild gnuradio although I did bump release in svn.

Comment 4 Barry Jackson 2015-05-08 19:11:29 CEST

(In reply to David Walser from comment #2)
> Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.

Well, it's not on the site as a tarball, but I made the tarball from git stable branch which has the above bug fixes and has the 4.0.6 version flag.

Comment 5 David Walser 2015-05-08 19:49:10 CEST

(In reply to Barry Jackson from comment #4)
> (In reply to David Walser from comment #2)
> > Ahh, nice.  When I checked yesterday, 4.0.6 didn't seem to be available.
> 
> Well, it's not on the site as a tarball, but I made the tarball from git
> stable branch which has the above bug fixes and has the 4.0.6 version flag.

Ahh, so perhaps it's not actually released yet.  Maybe use a 0.1 release tag, just in case?

Comment 6 Barry Jackson 2015-05-08 20:13:08 CEST

To be clear, the snippet in #1 is from the NEWS in the tarball.

Comment 7 Barry Jackson 2015-05-08 21:03:20 CEST

OK now 0.1 in svn as it may not actually be *final* 4.0.6.

Comment 8 David Walser 2015-05-10 21:39:20 CEST

zeromq-4.0.6-0.1.mga5 uploaded for Cauldron.  Thanks Barry!

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2015-05-11 14:50:09 CEST

Debian has issued an advisory for this on May 10:
https://www.debian.org/security/2015/dsa-3255

David Walser 2015-05-11 20:33:18 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643919/

Comment 10 David Walser 2015-05-21 17:49:35 CEST

CVE-2014-9721 has been assigned:
http://openwall.com/lists/oss-security/2015/05/21/4

Summary: zeromq new protocol downgrade attack security issue => zeromq new protocol downgrade attack security issue (CVE-2014-9721)

Comment 11 David Walser 2015-06-01 23:49:38 CEST

LWN reference with the CVE:
http://lwn.net/Vulnerabilities/646896/

Note You need to log in before you can comment on or make changes to this bug.