This script is Copyright (C) 2014 Tenable Network Security, Inc.
The remote openSUSE host is missing a security update.
zeromq was updated to version 4.0.5 to fix two security issues and
various other bugs.
These security issues were fixed :
- Did not validate the other party's security handshake
properly, allowing a man-in-the-middle downgrade attack
- Did not implement a uniqueness check on connection
nonces, and the CurveZMQ RFC was ambiguous about nonce
validation. This allowed replay attacks (CVE-2014-7203).
Other issues fixed in this update :
- CURVE mechanism does not verify short term nonces.
- stream_engine is vulnerable to downgrade attacks.
- assertion failure for WSAENOTSOCK on Windows.
- race condition while connecting inproc sockets.
- bump so library number to 4.0.0
- assertion failed: !more (fq.cpp:99) after many ZAP
- lost first part of message over inproc://.
See also :
Update the affected zeromq packages.
Risk factor :
Medium / CVSS Base Score : 4.3