[Touch-packages] [Bug 1835213] Re: CVE-2019-13132

Mon, 08 Jul 2019 11:41:46 -0700 

Thanks Luca for all the help and contribution, the fix is released. Feel
free to contact us in case of new issues.

** Changed in: zeromq3 (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to zeromq3 in Ubuntu.
https://bugs.launchpad.net/bugs/1835213

Title:
  CVE-2019-13132

Status in zeromq3 package in Ubuntu:
  Fix Released

Bug description:
  Dear Security Team,

  I am the upstream maintainer of libzmq/zeromq -
  https://github.com/zeromq/libzmq

  CVE-2019-13132 has been reported privately, and I have confirmed it is
  not only valid but quite bad (TM).

  The bug allows any unauthenticated client to cause a stack overflow on
  any server that is supposed to be protected by
  encryption/authentication. Arbitrary data sent by the client will
  overwrite the stack, so although the reporter didn't provide a
  specific exploit, it is entirely possible that a crafty attacker could
  take advantage of this vulnerability to do more than "just" crash the
  server.

  The bug affects all libzmq/zeromq releases from 4.0.0 onward. Any
  server running with CURVE encryption/authentication is vulnerable.

  Due to the severity, I have not yet published the details on the CVE
  or the issue tracker, and would like to do a release before it is
  disclosed, to let the fix percolate in all distros.

  The proposed plan is as follows:

  I will release upstream versions 4.3.2, 4.1.7 and 4.0.9 on Monday the 8th of 
July at 16:00 UTC.
  I would kindly ask to hold on publishing the security updates with the 
attached patches until the above time&date or later, as your 
schedule&availability permits, if possible.

  The CVE details and the upstream issue tracker will then be published a
  week later, on the 15th.

  The per-version patches cover the following distro releases:

  xenial 4.1.4
  bionic 4.2.5
  cosmic 4.2.5
  disco 4.3.1

  Thank you for your help!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1835213/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to