CVE-2020-15166

NameCVE-2020-15166
DescriptionIn ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4761-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zeromq3 (PTS)stretch (security), stretch4.2.1-4+deb9u2vulnerable
buster, buster (security)4.3.1-4+deb10u2fixed
bullseye, sid4.3.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zeromq3sourcebuster4.3.1-4+deb10u2DSA-4761-1
zeromq3source(unstable)4.3.3-1

Notes

https://www.openwall.com/lists/oss-security/2020/09/07/3
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
https://github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09

Search for package or bug name: Reporting problems