Debian alert DLA-2443-1 (zeromq3)


From:
               Utkarsh Gupta <utkarsh@debian.org>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 2443-1] zeromq3 security update
Date:
               Tue, 10 Nov 2020 20:24:16 +0530
Message-ID:
                <CAPP0f94q0aUyJ9HJfbjsfY1=DREfdnV4KL6KbaEvj2eLUzm74A@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2443-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 10, 2020                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : zeromq3
Version        : 4.2.1-4+deb9u3
CVE ID         : CVE-2020-15166

It was discovered that ZeroMQ, a lightweight messaging kernel
library does not properly handle connecting peers before a
handshake is completed. A remote, unauthenticated client connecting
to an application using the libzmq library, running with a socket
listening with CURVE encryption/authentication enabled can take
advantage of this flaw to cause a denial of service affecting
authenticated and encrypted clients.

For Debian 9 stretch, this problem has been fixed in version
4.2.1-4+deb9u3.

We recommend that you upgrade your zeromq3 packages.

For the detailed security status of zeromq3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zeromq3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl+qqUoACgkQgj6WdgbD
S5b11RAAymqFGD5xgtJdoqdvUxelgCbGCNpBiUcAQanx5LjDUZ68MGDifap7JfFN
B/Na0n4dJ1oGYtAgVRKCYUbkvRAe+2xSqq0etqAYX8FnRVKIp43c5/jC7bB+dFQ/
zK379LYYEDvkXQgu316+2HUwset/tsOnLLe0SvQWbe57zrWcjPAQ2HDOrcIeZrWz
DukbOqVBEQ6U+otgQ9biiMwA1nxOEOrMCkYSoYX14exDxBqCcwQVjWmjYGMt6ORP
Yh281p+rH9I1BcTARcyTYUn/30IEvQDPtmZ59/M2VXrdob0UT0foJAEb6FBVpueu
MVWJehuf7FBhw0IIkjunPHoFciAzvV5Ob+Yx5FSMh5P1w6dsVc3siMA9XUsra6Bq
p1ii0clmCrsWcMImC5nZsCr0N8+sC4TJPLTVQ8S6o11NuENUa5WqYkNOGIBzMUuc
Asc5cuzl+ZMdOTy27IU2iyrI0pR4ElxVhcBSC7i4Cvwv1mBvgMX6doaxjTTjVAo0
qzXwqQgeD04yIm6XVACWkDvGho44wsZmcck3PyHtqQ/KTspt3I1ug14PRg4uaBLj
IV1s/ZjAPxd8hVK/y/sOGh+OgvqHjLd8L195KeAPyExXWLMqF1Efp8h4qtC2ewbU
yCoQ2Is1wAfv4VeTxzfJu5ghR3Y/bWrnFiIES4DkYbrkbfvmmk0=
=E8Zr
-----END PGP SIGNATURE-----

From:		Utkarsh Gupta <utkarsh@debian.org>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 2443-1] zeromq3 security update
Date:		Tue, 10 Nov 2020 20:24:16 +0530
Message-ID:		<CAPP0f94q0aUyJ9HJfbjsfY1=DREfdnV4KL6KbaEvj2eLUzm74A@mail.gmail.com>