Date: Wed, 26 May 2021 00:41:21 GMT From: "Danilo G. Baio" <dbaio@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: b48ef2625f60 - main - security/vuxml: Document net/libzmq4 issues Message-ID: <202105260041.14Q0fLD1056998@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dbaio: URL: https://cgit.FreeBSD.org/ports/commit/?id=b48ef2625f60a360d0c7618d1650a7dd9155b89b commit b48ef2625f60a360d0c7618d1650a7dd9155b89b Author: Danilo G. Baio <dbaio@FreeBSD.org> AuthorDate: 2021-05-25 23:05:22 +0000 Commit: Danilo G. Baio <dbaio@FreeBSD.org> CommitDate: 2021-05-26 00:33:57 +0000 security/vuxml: Document net/libzmq4 issues PR: 255102 Reported by: Thomas Petig <thomas@petig.eu> Security: CVE-2019-13132 Security: CVE-2020-15166 --- security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 1d575fd1cacd..23bff9bd9ddd 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,73 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="21ec4428-bdaa-11eb-a04e-641c67a117d8"> + <topic>libzmq4 -- Denial of Service</topic> + <affects> + <package> + <name>libzmq4</name> + <range><lt>4.3.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google's oss-fuzz project reports:</p> + <blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.3">; + <p>Denial-of-Service on CURVE/ZAP-protected servers by + unauthenticated clients. + If a raw TCP socket is opened and connected to an endpoint that is fully + configured with CURVE/ZAP, legitimate clients will not be able to exchange + any message. Handshakes complete successfully, and messages are delivered to + the library, but the server application never receives them.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-15166</cvename> + <url>https://github.com/zeromq/libzmq/releases/tag/v4.3.3</url>; + <url>https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m</url>; + <freebsdpr>ports/255102</freebsdpr> + </references> + <dates> + <discovery>2020-09-07</discovery> + <entry>2021-05-25</entry> + </dates> + </vuln> + + <vuln vid="6954a2b0-bda8-11eb-a04e-641c67a117d8"> + <topic>libzmq4 -- Stack overflow</topic> + <affects> + <package> + <name>libzmq4</name> + <range><lt>4.3.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Fang-Pen Lin reports:</p> + <blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.2">; + <p>A remote, unauthenticated client connecting to a + libzmq application, running with a socket listening with CURVE + encryption/authentication enabled, may cause a stack overflow and + overwrite the stack with arbitrary data, due to a buffer overflow in + the library. Users running public servers with the above configuration + are highly encouraged to upgrade as soon as possible, as there are no + known mitigations.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-13132</cvename> + <url>https://github.com/zeromq/libzmq/releases/tag/v4.3.2</url>; + <url>https://github.com/zeromq/libzmq/issues/3558</url>; + <freebsdpr>ports/255102</freebsdpr> + </references> + <dates> + <discovery>2019-06-27</discovery> + <entry>2021-05-25</entry> + </dates> + </vuln> + <vuln vid="0882f019-bd60-11eb-9bdd-8c164567ca3c"> <topic>NGINX -- 1-byte memory overwrite in resolver</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105260041.14Q0fLD1056998>