-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem: V3 protocol handler vulnerable to downgrade attacks #1273
Comments
hintjens
changed the title
Problem: security mechanism is not applied to old protocols
Problem: V3 protocol handler is vulnerable to downgrade attacks
Dec 4, 2014
hintjens
changed the title
Problem: V3 protocol handler is vulnerable to downgrade attacks
Problem: V3 protocol handler vulnerable to downgrade attacks
Dec 4, 2014
Backported to 4.0.x and 4.1.x. |
zultron
added a commit
to zultron/zeromq3-deb
that referenced
this issue
May 5, 2015
bluerise
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 13, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 21, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 26, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 28, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
Jul 7, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
bluca
pushed a commit
that referenced
this issue
Oct 31, 2023
Solution: backport fix from libzmq master. Also backported test cases.
bluca
pushed a commit
that referenced
this issue
Oct 31, 2023
Problem: issue #1273, protocol downgrade attack
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism.
Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally.
Fixed by #6cf120 and related commits.
The text was updated successfully, but these errors were encountered: