Join GitHub today
Problem: V3 protocol handler vulnerable to downgrade attacks #1273
It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism.
Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally.
Fixed by #6cf120 and related commits.