[SECURITY] [DLA 2443-1] zeromq3 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2443-1] zeromq3 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 10 Nov 2020 20:24:16 +0530
Message-id: <[🔎] CAPP0f94q0aUyJ9HJfbjsfY1=DREfdnV4KL6KbaEvj2eLUzm74A@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2443-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 10, 2020                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : zeromq3
Version        : 4.2.1-4+deb9u3
CVE ID         : CVE-2020-15166

It was discovered that ZeroMQ, a lightweight messaging kernel
library does not properly handle connecting peers before a
handshake is completed. A remote, unauthenticated client connecting
to an application using the libzmq library, running with a socket
listening with CURVE encryption/authentication enabled can take
advantage of this flaw to cause a denial of service affecting
authenticated and encrypted clients.

For Debian 9 stretch, this problem has been fixed in version
4.2.1-4+deb9u3.

We recommend that you upgrade your zeromq3 packages.

For the detailed security status of zeromq3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zeromq3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl+qqUoACgkQgj6WdgbD
S5b11RAAymqFGD5xgtJdoqdvUxelgCbGCNpBiUcAQanx5LjDUZ68MGDifap7JfFN
B/Na0n4dJ1oGYtAgVRKCYUbkvRAe+2xSqq0etqAYX8FnRVKIp43c5/jC7bB+dFQ/
zK379LYYEDvkXQgu316+2HUwset/tsOnLLe0SvQWbe57zrWcjPAQ2HDOrcIeZrWz
DukbOqVBEQ6U+otgQ9biiMwA1nxOEOrMCkYSoYX14exDxBqCcwQVjWmjYGMt6ORP
Yh281p+rH9I1BcTARcyTYUn/30IEvQDPtmZ59/M2VXrdob0UT0foJAEb6FBVpueu
MVWJehuf7FBhw0IIkjunPHoFciAzvV5Ob+Yx5FSMh5P1w6dsVc3siMA9XUsra6Bq
p1ii0clmCrsWcMImC5nZsCr0N8+sC4TJPLTVQ8S6o11NuENUa5WqYkNOGIBzMUuc
Asc5cuzl+ZMdOTy27IU2iyrI0pR4ElxVhcBSC7i4Cvwv1mBvgMX6doaxjTTjVAo0
qzXwqQgeD04yIm6XVACWkDvGho44wsZmcck3PyHtqQ/KTspt3I1ug14PRg4uaBLj
IV1s/ZjAPxd8hVK/y/sOGh+OgvqHjLd8L195KeAPyExXWLMqF1Efp8h4qtC2ewbU
yCoQ2Is1wAfv4VeTxzfJu5ghR3Y/bWrnFiIES4DkYbrkbfvmmk0=
=E8Zr
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2442-1] obfs4proxy security update
Next by Date: [SECURITY] [DLA 2444-1] tcpdump security update
Previous by thread: [SECURITY] [DLA 2442-1] obfs4proxy security update
Next by thread: [SECURITY] [DLA 2444-1] tcpdump security update
Index(es):
- Date
- Thread