diff --git a/zeromq-4.3.2.tar.gz b/zeromq-4.3.2.tar.gz deleted file mode 100644 index d62820a..0000000 --- a/zeromq-4.3.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763 -size 1697442 diff --git a/zeromq-4.3.3.tar.gz b/zeromq-4.3.3.tar.gz new file mode 100644 index 0000000..aab58b0 --- /dev/null +++ b/zeromq-4.3.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2 +size 2117050 diff --git a/zeromq.changes b/zeromq.changes index 8e902c8..66a613d 100644 --- a/zeromq.changes +++ b/zeromq.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Mon Sep 7 16:56:09 UTC 2020 - Adam Majer + +- New upstream version 4.3.3: + * Denial-of-Service on CURVE/ZAP-protected servers by + unauthenticated clients. (CVE-2020-15166, bsc#1176116) + If a raw TCP socket is opened and connected to an endpoint that is fully + configured with CURVE/ZAP, legitimate clients will not be able to exchange + any message. Handshakes complete successfully, and messages are delivered to + the library, but the server application never receives them. + For more information see the security advisory: + https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m + * Stack overflow on server running PUB/XPUB socket (CURVE disabled). + The PUB/XPUB subscription store (mtrie) is traversed using recursive + function calls. In the remove (unsubscription) case, the recursive calls are + NOT tail calls, so even with optimizations the stack grows linearly with the + length of a subscription topic. Topics are under the control of remote + clients - they can send a subscription to arbitrary length topics. An + attacker can thus cause a server to create an mtrie sufficiently large such + that, when unsubscribing, traversal will cause a stack overflow. (bsc#1176258) + For more information see the security advisory: + https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 + * Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP. + Messages with metadata are never processed by PUB sockets, but the metadata + is kept referenced in the PUB object and never freed. (bsc#1176257) + For more information see the security advisory: + https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw + * Memory leak in client induced by malicious server(s) without CURVE/ZAP. + When a pipe processes a delimiter and is already not in active state but + still has an unfinished message, the message is leaked. (bsc#1176259) + For more information see the security advisory: + https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 + * Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled). + By crafting a packet which is not valid ZMTP v2/v3, and which has two + messages larger than 8192 bytes, the decoder can be tricked into changing + the recorded size of the 8192 bytes static buffer, which then gets overflown + by the next message. The content that gets written in the overflown memory + is entirely decided by the sender. (bsc#1176256) + For more information see the security advisory: + https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 + +For complete list of changes, see +https://github.com/zeromq/libzmq/releases/tag/v4.3.3 + ------------------------------------------------------------------- Tue Jul 9 07:35:29 UTC 2019 - Vítězslav Čížek diff --git a/zeromq.spec b/zeromq.spec index 9628e64..4d368c6 100644 --- a/zeromq.spec +++ b/zeromq.spec @@ -1,7 +1,7 @@ # # spec file for package zeromq # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %bcond_with pgm %endif Name: zeromq -Version: 4.3.2 +Version: 4.3.3 Release: 0 Summary: Lightweight messaging kernel License: LGPL-3.0-or-later