libzmq5-32bit-4.3.4-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11540-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libzmq5-32bit-4.3.4-2.2 on GA media These are all security issues fixed in the libzmq5-32bit-4.3.4-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11540 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-13132/ SUSE CVE CVE-2019-13132 page https://www.suse.com/security/cve/CVE-2019-6250/ SUSE CVE CVE-2019-6250 page https://www.suse.com/security/cve/CVE-2020-15166/ SUSE CVE CVE-2020-15166 page openSUSE Tumbleweed libzmq5-4.3.4-2.2 libzmq5-32bit-4.3.4-2.2 zeromq-devel-4.3.4-2.2 zeromq-tools-4.3.4-2.2 libzmq5-4.3.4-2.2 as a component of openSUSE Tumbleweed libzmq5-32bit-4.3.4-2.2 as a component of openSUSE Tumbleweed zeromq-devel-4.3.4-2.2 as a component of openSUSE Tumbleweed zeromq-tools-4.3.4-2.2 as a component of openSUSE Tumbleweed In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. CVE-2019-13132 openSUSE Tumbleweed:libzmq5-32bit-4.3.4-2.2 openSUSE Tumbleweed:libzmq5-4.3.4-2.2 openSUSE Tumbleweed:zeromq-devel-4.3.4-2.2 openSUSE Tumbleweed:zeromq-tools-4.3.4-2.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13132.html CVE-2019-13132 https://bugzilla.suse.com/1140255 SUSE Bug 1140255 A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control). CVE-2019-6250 openSUSE Tumbleweed:libzmq5-32bit-4.3.4-2.2 openSUSE Tumbleweed:libzmq5-4.3.4-2.2 openSUSE Tumbleweed:zeromq-devel-4.3.4-2.2 openSUSE Tumbleweed:zeromq-tools-4.3.4-2.2 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6250.html CVE-2019-6250 https://bugzilla.suse.com/1121717 SUSE Bug 1121717 https://bugzilla.suse.com/1122012 SUSE Bug 1122012 In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3. CVE-2020-15166 openSUSE Tumbleweed:libzmq5-32bit-4.3.4-2.2 openSUSE Tumbleweed:libzmq5-4.3.4-2.2 openSUSE Tumbleweed:zeromq-devel-4.3.4-2.2 openSUSE Tumbleweed:zeromq-tools-4.3.4-2.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15166.html CVE-2020-15166 https://bugzilla.suse.com/1176116 SUSE Bug 1176116