openSUSE Security Update : zeromq (openSUSE-SU-2014:1493-1)
Medium Nessus Plugin ID 79575
SynopsisThe remote openSUSE host is missing a security update.
Descriptionzeromq was updated to version 4.0.5 to fix two security issues and various other bugs.
These security issues were fixed :
- Did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack (CVE-2014-7202).
- Did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks (CVE-2014-7203).
Other issues fixed in this update :
- CURVE mechanism does not verify short term nonces.
- stream_engine is vulnerable to downgrade attacks.
- assertion failure for WSAENOTSOCK on Windows.
- race condition while connecting inproc sockets.
- bump so library number to 4.0.0
- assertion failed: !more (fq.cpp:99) after many ZAP requests.
- lost first part of message over inproc://.
SolutionUpdate the affected zeromq packages.