CVE-2020-15166

NameCVE-2020-15166
DescriptionIn ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2443-1, DSA-4761-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zeromq3 (PTS)bullseye4.3.4-1+deb11u1fixed
bookworm4.3.4-6fixed
sid, trixie4.3.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zeromq3sourcestretch4.2.1-4+deb9u3DLA-2443-1
zeromq3sourcebuster4.3.1-4+deb10u2DSA-4761-1
zeromq3source(unstable)4.3.3-1

Notes

https://www.openwall.com/lists/oss-security/2020/09/07/3
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
https://github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09

Search for package or bug name: Reporting problems