mirror of
https://github.com/zeromq/libzmq.git
synced 2024-12-14 02:57:47 +01:00
Problem: NEWS does not mention security advisories
Solution: add them
This commit is contained in:
parent
fd094fe2fc
commit
b97ce25c26
38
NEWS
38
NEWS
@ -1,6 +1,44 @@
|
||||
0MQ version 4.3.x stable, released on 20xx/xx/xx
|
||||
================================================
|
||||
|
||||
* Security advisories:
|
||||
* CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
|
||||
unauthenticated clients.
|
||||
If a raw TCP socket is opened and connected to an endpoint that is fully
|
||||
configured with CURVE/ZAP, legitimate clients will not be able to exchange
|
||||
any message. Handshakes complete successfully, and messages are delivered to
|
||||
the library, but the server application never receives them.
|
||||
For more information see the security advisory:
|
||||
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
|
||||
* Stack overflow on server running PUB/XPUB socket (CURVE disabled).
|
||||
The PUB/XPUB subscription store (mtrie) is traversed using recursive
|
||||
function calls. In the remove (unsubscription) case, the recursive calls are
|
||||
NOT tail calls, so even with optimizations the stack grows linearly with the
|
||||
length of a subscription topic. Topics are under the control of remote
|
||||
clients - they can send a subscription to arbitrary length topics. An
|
||||
attacker can thus cause a server to create an mtrie sufficiently large such
|
||||
that, when unsubscribing, traversal will cause a stack overflow.
|
||||
For more information see the security advisory:
|
||||
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
|
||||
* Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
|
||||
Messages with metadata are never processed by PUB sockets, but the metadata
|
||||
is kept referenced in the PUB object and never freed.
|
||||
For more information see the security advisory:
|
||||
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
|
||||
* Memory leak in client induced by malicious server(s) without CURVE/ZAP.
|
||||
When a pipe processes a delimiter and is already not in active state but
|
||||
still has an unfinished message, the message is leaked.
|
||||
For more information see the security advisory:
|
||||
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
|
||||
* Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
|
||||
By crafting a packet which is not valid ZMTP v2/v3, and which has two
|
||||
messages larger than 8192 bytes, the decoder can be tricked into changing
|
||||
the recorded size of the 8192 bytes static buffer, which then gets overflown
|
||||
by the next message. The content that gets written in the overflown memory
|
||||
is entirely decided by the sender.
|
||||
For more information see the security advisory:
|
||||
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
|
||||
|
||||
* Note for packagers: an external, self-contained sha1 library is now
|
||||
included in the source tree under external/sha1/ - it is licensed
|
||||
under BSD-3-Clause and thus it is fully compatible with libzmq's
|
||||
|
Loading…
Reference in New Issue
Block a user