CVE-2019-13132
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zeromq3 (Ubuntu) |
Fix Released
|
Undecided
|
Eduardo Barretto |
Bug Description
Dear Security Team,
I am the upstream maintainer of libzmq/zeromq - https:/
CVE-2019-13132 has been reported privately, and I have confirmed it is not only valid but quite bad (TM).
The bug allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/
The bug affects all libzmq/zeromq releases from 4.0.0 onward. Any server running with CURVE encryption/
Due to the severity, I have not yet published the details on the CVE or the issue tracker, and would like to do a release before it is disclosed, to let the fix percolate in all distros.
The proposed plan is as follows:
I will release upstream versions 4.3.2, 4.1.7 and 4.0.9 on Monday the 8th of July at 16:00 UTC.
I would kindly ask to hold on publishing the security updates with the attached patches until the above time&date or later, as your schedule&
The CVE details and the upstream issue tracker will then be published a
week later, on the 15th.
The per-version patches cover the following distro releases:
xenial 4.1.4
bionic 4.2.5
cosmic 4.2.5
disco 4.3.1
Thank you for your help!
CVE References
Changed in zeromq3 (Ubuntu): | |
assignee: | nobody → Eduardo dos Santos Barretto (ebarretto) |
Thanks Luca for reporting it and providing the patches. I would like to know if there's an exploit/test case that can be used to verify that the patch actually fix the issue. Thanks in advance