On Sat, 12 Jan 2019 17:29:23 +0000 Luca Boccassi <bl...@debian.org> wrote: > On Sat, 12 Jan 2019 16:54:42 +0000 Luca Boccassi <bl...@debian.org> > wrote: > > Package: libzmq5 > > Version: 4.2.0-1 > > Severity: important > > Tags: patch security upstream fixed-upstream > > > > Dear Maintainer, > > > > A remote execution vulnerability has been reported in zeromq. Full > > details can be found on the upstream issue tracker [1]. > > > > The issue is fixed in upstream version v4.3.1, just released, or with > > the attached patch which is targeted for v4.2.1 (stretch). > > > > I would highly recommend to upgrade to the latest version for Buster, > > and to consider at least an upload to stable-p-u with the patch. > > > > As mentioned in the upstream tracker and the changelog, the issue can > > be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far > as > > I am aware no CVEs have been assigned nor have been requested as of > > now. > > > > -- > > Kind regards, > > Luca Boccassi > > > > [1] https://github.com/zeromq/libzmq/issues/3351 > > Sorry, I fat-fingered the patch refresh and the variable name is wrong. > Corrected version attached.
Despite the name of the file, it's actually for 4.2.1 (stretch). Sorry, juggling many emails and bug trackers at the moment... -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
