- New upstream version 4.3.3:

* Denial-of-Service on CURVE/ZAP-protected servers by
    unauthenticated clients. (CVE-2020-15166, bsc#1176116)
    If a raw TCP socket is opened and connected to an endpoint that is fully
    configured with CURVE/ZAP, legitimate clients will not be able to exchange
    any message. Handshakes complete successfully, and messages are delivered to
    the library, but the server application never receives them.
    For more information see the security advisory:
    https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
  * Stack overflow on server running PUB/XPUB socket (CURVE disabled).
    The PUB/XPUB subscription store (mtrie) is traversed using recursive
    function calls. In the remove (unsubscription) case, the recursive calls are
    NOT tail calls, so even with optimizations the stack grows linearly with the
    length of a subscription topic. Topics are under the control of remote
    clients - they can send a subscription to arbitrary length topics. An
    attacker can thus cause a server to create an mtrie sufficiently large such
    that, when unsubscribing, traversal will cause a stack overflow.
    For more information see the security advisory:
    https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
  * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
    Messages with metadata are never processed by PUB sockets, but the metadata
    is kept referenced in the PUB object and never freed.
    For more information see the security advisory:
    https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
  * Memory leak in client induced by malicious server(s) without CURVE/ZAP.
    When a pipe processes a delimiter and is already not in active state but
    still has an unfinished message, the message is leaked.
    For more information see the security advisory:
    https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
  * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=74

zeromq-4.3.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763
-size 1697442

zeromq-4.3.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2
+size 2117050

zeromq.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Mon Sep  7 16:56:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
+
+- New upstream version 4.3.3:
+  * Denial-of-Service on CURVE/ZAP-protected servers by
+    unauthenticated clients. (CVE-2020-15166, bsc#1176116)
+    If a raw TCP socket is opened and connected to an endpoint that is fully
+    configured with CURVE/ZAP, legitimate clients will not be able to exchange
+    any message. Handshakes complete successfully, and messages are delivered to
+    the library, but the server application never receives them.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
+  * Stack overflow on server running PUB/XPUB socket (CURVE disabled).
+    The PUB/XPUB subscription store (mtrie) is traversed using recursive
+    function calls. In the remove (unsubscription) case, the recursive calls are
+    NOT tail calls, so even with optimizations the stack grows linearly with the
+    length of a subscription topic. Topics are under the control of remote
+    clients - they can send a subscription to arbitrary length topics. An
+    attacker can thus cause a server to create an mtrie sufficiently large such
+    that, when unsubscribing, traversal will cause a stack overflow.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
+  * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
+    Messages with metadata are never processed by PUB sockets, but the metadata
+    is kept referenced in the PUB object and never freed.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
+  * Memory leak in client induced by malicious server(s) without CURVE/ZAP.
+    When a pipe processes a delimiter and is already not in active state but
+    still has an unfinished message, the message is leaked.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
+  * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
+    By crafting a packet which is not valid ZMTP v2/v3, and which has two
+    messages larger than 8192 bytes, the decoder can be tricked into changing
+    the recorded size of the 8192 bytes static buffer, which then gets overflown
+    by the next message. The content that gets written in the overflown memory
+    is entirely decided by the sender.
+    For more information see the security advisory:
+    https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
+
+For complete list of changes, see
+https://github.com/zeromq/libzmq/releases/tag/v4.3.3
+
 -------------------------------------------------------------------
 Tue Jul  9 07:35:29 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 

zeromq.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package zeromq
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %bcond_with pgm
 %endif
 Name:           zeromq
-Version:        4.3.2
+Version:        4.3.3
 Release:        0
 Summary:        Lightweight messaging kernel
 License:        LGPL-3.0-or-later