From bfba6e5a36853c1bfd3a9e345f342f223d1a62ed Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Mon, 14 Jan 2019 09:54:19 +0000 Subject: [PATCH] Problem: NEWS for 4.3.1 does not mention CVE number Solution: add it now that it's been assigned --- NEWS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 02a9e927..d20fbabe 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,9 @@ 0MQ version 4.3.1 stable, released on 2019/01/12 ================================================ -* A vulnerability has been found that would allow attackers to direct a peer to - jump to and execute from an address indicated by the attacker. +* CVE-2019-6250: A vulnerability has been found that would allow attackers to + direct a peer to jump to and execute from an address indicated by the + attacker. This issue has been present since v4.2.0. Older releases are not affected. NOTE: The attacker needs to know in advance valid addresses in the peer's memory to jump to, so measures like ASLR are effective mitigations.