** Description changed: Dear Maintainer, A remote execution vulnerability has been reported in zeromq. Full details can be found on the upstream issue tracker [1]. The issue is fixed in upstream version v4.3.1, just released, or with the attached patch which is targeted for v4.2.5 (bionic and cosmic). The latest version will hopefully arrive in disco via debian unstable soon, but I would recommend patching older releases. As mentioned in the upstream tracker and the changelog, the issue can be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware no CVEs have been assigned nor have been requested as of now. + + [1] https://github.com/zeromq/libzmq/issues/3351
** Bug watch added: Debian Bug tracker #919098 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 ** Also affects: zeromq3 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919098 Importance: Unknown Status: Unknown ** Bug watch added: bugzilla.opensuse.org/ #1121717 https://bugzilla.opensuse.org/show_bug.cgi?id=1121717 ** Also affects: zeromq (Suse) via https://bugzilla.opensuse.org/show_bug.cgi?id=1121717 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to zeromq3 in Ubuntu. https://bugs.launchpad.net/bugs/1811531 Title: remote execution vulnerability Status in zeromq3 package in Ubuntu: New Status in zeromq3 package in Debian: Unknown Status in zeromq package in Suse: Unknown Bug description: Dear Maintainer, A remote execution vulnerability has been reported in zeromq. Full details can be found on the upstream issue tracker [1]. The issue is fixed in upstream version v4.3.1, just released, or with the attached patch which is targeted for v4.2.5 (bionic and cosmic). The latest version will hopefully arrive in disco via debian unstable soon, but I would recommend patching older releases. As mentioned in the upstream tracker and the changelog, the issue can be mitigated by ASLR and by authentication via CURVE/GSSAPI. As far as I am aware no CVEs have been assigned nor have been requested as of now. [1] https://github.com/zeromq/libzmq/issues/3351 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1811531/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
