Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2020-15166

In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.

Related bugs and status

CVE-2020-15166 (Candidate) is related to these bugs:

Bug #1811531: remote execution vulnerability

		In	Importance	Status
1811531	remote execution vulnerability	zeromq3 (Ubuntu)	Undecided	Fix Released
1811531	remote execution vulnerability	zeromq3 (Debian)	Unknown	Fix Released
1811531	remote execution vulnerability	zeromq (Suse)	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://github.com/zer...
MISC: https://github.com/zer...
MISC: https://github.com/zer...
GENTOO: GLSA-202009-12
FEDORA: FEDORA-2020-08402f4071
FEDORA: FEDORA-2020-5460fcf6bd
MLIST: [debian-lts-announce] ...