Adding bug numbers to previous submission
- New upstream version 4.3.3:
* Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients. (CVE-2020-15166, bsc#1176116)
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
* Stack overflow on server running PUB/XPUB socket (CURVE disabled).
The PUB/XPUB subscription store (mtrie) is traversed using recursive
function calls. In the remove (unsubscription) case, the recursive calls are
NOT tail calls, so even with optimizations the stack grows linearly with the
length of a subscription topic. Topics are under the control of remote
clients - they can send a subscription to arbitrary length topics. An
attacker can thus cause a server to create an mtrie sufficiently large such
that, when unsubscribing, traversal will cause a stack overflow. (bsc#1176258)
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
* Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
Messages with metadata are never processed by PUB sockets, but the metadata
is kept referenced in the PUB object and never freed. (bsc#1176257)
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
* Memory leak in client induced by malicious server(s) without CURVE/ZAP.
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked. (bsc#1176259)
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
* Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
By crafting a packet which is not valid ZMTP v2/v3, and which has two
messages larger than 8192 bytes, the decoder can be tricked into changing
the recorded size of the 8192 bytes static buffer, which then gets overflown
by the next message. The content that gets written in the overflown memory
is entirely decided by the sender. (bsc#1176256)
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
For complete list of changes, see
https://github.com/zeromq/libzmq/releases/tag/v4.3.3
OBS-URL: https://build.opensuse.org/request/show/839566
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zeromq?expand=0&rev=38
* Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients. (CVE-2020-15166, bsc#1176116)
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
* Stack overflow on server running PUB/XPUB socket (CURVE disabled).
The PUB/XPUB subscription store (mtrie) is traversed using recursive
function calls. In the remove (unsubscription) case, the recursive calls are
NOT tail calls, so even with optimizations the stack grows linearly with the
length of a subscription topic. Topics are under the control of remote
clients - they can send a subscription to arbitrary length topics. An
attacker can thus cause a server to create an mtrie sufficiently large such
that, when unsubscribing, traversal will cause a stack overflow.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
* Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
Messages with metadata are never processed by PUB sockets, but the metadata
is kept referenced in the PUB object and never freed.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
* Memory leak in client induced by malicious server(s) without CURVE/ZAP.
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
* Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=74
- New upstream version 4.3.2:
* CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. (bsc#1140255)
* New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_versioned API that supports
a versioned monitoring events protocol as a parameter. Passing 1 results in
the same behaviour as zmq_socket_monitor.
* New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_pipes_stats that triggers
a new ZMQ_EVENT_PIPES_STATS to be delivered via zmq_socket_monitor_versioned
v2 API, which contains the current status of all the queues owned by the
monitored socket. See doc/zmq_socket_monitor_versioned.txt for details.
* New DRAFT (see NEWS for 4.2.0) zmq_poller_fd that returns the FD of a thread
safe socket.
* New DRAFT (see NEWS for 4.2.0) socket options:
ZMQ_XPUB_MANUAL_LAST_VALUE is similar to ZMQ_XPUB_MANUAL but allows to avoid
duplicates when using last value caching.
ZMQ_SOCKS_USERNAME and ZMQ_SOCKS_PASSWORD that implement SOCKS5 proxy
authentication.
- For complete set of changes, see
https://github.com/zeromq/libzmq/releases/tag/v4.3.2
OBS-URL: https://build.opensuse.org/request/show/714173
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=72
- New upstream version 4.2.4
* New DRAFT (see NEWS for 4.2.0) socket options:
- ZMQ_LOOPBACK_FASTPATH to enable faster TCP loopback on Windows
- ZMQ_METADATA to set application-specific metadata on a socket
See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
* New DRAFT (see NEWS for 4.2.0) context options:
- ZMQ_ZERO_COPY_RECV to disable zero-copy receive to save memory
at the expense of slower performance
See doc/zmq_ctx_set.txt and doc/zmq_ctx_get.txt for details.
* New DRAFT API zmq_stopwatch_intermediate which returns the time
elapsed without stopping the stopwatch.
* TIPC: support addressing TIPC Port Identity addresses.
* fix ZMQ_DISH over UDP triggers errno_assert() after watermark
* fix ZMQ_PUB crash when due to high volume of subscribe and
unsubscribe messages, an unmatched unsubscribe message is
received in certain conditions
* see NEWS and ChangeLog for additional details
- install licenses correctly and update SPDX license to version 3
OBS-URL: https://build.opensuse.org/request/show/589935
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=64
- New upstream version 4.2.3
* API change: previously ZMQ_POLLOUT on a ZMQ_ROUTER socket
returned always true due to how the type works. When
ZMQ_ROUTER_MANDATORY is set, sending fails when the peer is
not available, but ZMQ_POLLOUT always returns true anyway,
which does not make sense. Now when ZMQ_ROUTER_MANDATORY is
set, ZMQ_POLLOUT on a ZMQ_ROUTER will return true only if
at least one peer is available.
Given ZMQ_POLLOUT with ZMQ_ROUTER was not usable at all
previously, we do not consider this a breakage warranting a
major or minor version increase.
* ZMQ_IDENTITY has been renamed to ZMQ_ROUTING_ID and
ZMQ_CONNECT_RID has been renamed to ZMQ_CONNTECT_ROUTING_ID
to disambiguate. ZMQ_IDENTITY and ZMQ_CONNECT_RID are still
available to keep backward compatibility, and will be
removed in a future release after further advance notice.
* DRAFT API change: zmq_poller_wait, zmq_poller_wait_all and
zmq_poller_poll have been changed to be inline with other
existing APIs that have a timeout to return EAGAIN instead
of ETIMEDOUT as the errno value.
* Existing non-DRAFT socket types ZMQ_REP/REQ, ZMQ_ROUTER/DEALER
and ZMQPUB/SUB, that were previously declared deprecated, have
been reinstated as stable and supported
* Curve: all remaining traces of debug output to console are now
removed, and new DRAFT events are available to properly debug
CURVE, PLAIN, GSSAPI and ZAP events and failures.
* for compelete changelog see
https://github.com/zeromq/libzmq/releases/tag/v4.2.3
- drop remove_werror.patch: can now be disabled at configure time,
if needed.
OBS-URL: https://build.opensuse.org/request/show/556904
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=62
- New upstream version 4.2.0
* For Pieter. Thanks for making all of this possible.
* This release introduces new APIs, but it is ABI compatible with
libzmq 4.1.2 and up.
* Fixed alignment problem on arm and sparc, need to rebuild
against 4.2.0
* New Context option ZMQ_MAX_MSGSZ
* New Socket options:
- ZMQ_HANDSHAKE_IVL
- ZMQ_SOCKS_PROXY
- ZMQ_XPUB_NODROP
- ZMQ_BLOCKY
- ZMQ_XPUB_MANUAL
- ZMQ_XPUB_WELCOME_MSG
- ZMQ_STREAM_NOTIFY
- ZMQ_INVERT_MATCHING
- ZMQ_HEARTBEAT_IVL
- ZMQ_HEARTBEAT_TTL
- ZMQ_HEARTBEAT_TIMEOUT
....
* see NEWS for all changes
- Packaging
* add --with-libsodium to link against libsodium and not internal
tweetnacl
* remove disable-silent-rules
* add --enable-curve to build curve_keygen tool
https://github.com/zeromq/libzmq/pull/2195
* add libunwind to build dependencies
OBS-URL: https://build.opensuse.org/request/show/438778
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=51
- Added patch 3ad076.patch
* based on https://github.com/zeromq/zeromq4-1/commit/3ad076.patch
* refreshed and removed NEWS section
* fixes unbinding when IPv6 is available
- Add '--disable-dependency-tracking' since we are not rebuilding
- Re-enable concurrent check target, but fall back to sequential on
failure. This allows quick test building, while allows
sequential unit test run. Run tests 3x before 'official' failure as
some are a little flaky (upstream acknowledges this)
- Append test_log in build output if there are failures
- Update to 4.1.4
* fixed build failure with latest libsodium
* handle IPv6 link local addresses
* fixed assertion failure in msg.cpp:390 on STREAM sockets
* fixed assertion failure in tcp.cpp after network reconnect
* fixed socket monitor hang
- Remove libsodium-init.patch - upstreamed
- Run %check rule sequentially to prevent assert failures
OBS-URL: https://build.opensuse.org/request/show/399056
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=43
* Added explicit reference to static link exception in every source file.
* Bumped ABI version to 5:0:0 since 4.1.x changed the ABI.
* Fixed STDINT event interface macros to work with CZMQ 3.0.
* Fixed installation of man pages when BUILD_DOC is not set.
* Fixed#1428 - regression on single-socket proxies.
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zeromq?expand=0&rev=33