New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem: V3 protocol handler vulnerable to downgrade attacks #1273
Comments
|
Backported to 4.0.x and 4.1.x. |
zultron
added a commit
to zultron/zeromq3-deb
that referenced
this issue
May 5, 2015
bluerise
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 13, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 21, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 26, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
May 28, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo
pushed a commit
to bitrig/bitrig-ports
that referenced
this issue
Jul 7, 2015
testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism.
Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally.
Fixed by #6cf120 and related commits.
The text was updated successfully, but these errors were encountered: