Security update for zeromq SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1767-1 Final 1 1 2019-07-21T05:36:51Z current 2019-07-21T05:36:51Z 2019-07-21T05:36:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zeromq This update for zeromq fixes the following issues: - CVE-2019-13132: An unauthenticated remote attacker could have exploited a stack overflow vulnerability on a server that is supposed to be protected by encryption and authentication to potentially gain a remote code execution. (bsc#1140255) - Correctly mark license files as licence instead of documentation (bsc#1082318) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1767 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.html E-Mail link for openSUSE-SU-2019:1767-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082318 SUSE Bug 1082318 https://bugzilla.suse.com/1140255 SUSE Bug 1140255 https://www.suse.com/security/cve/CVE-2019-13132/ SUSE CVE CVE-2019-13132 page openSUSE Leap 15.0 openSUSE Leap 15.1 libzmq5-4.2.3-lp151.5.3.1 zeromq-devel-4.2.3-lp151.5.3.1 zeromq-tools-4.2.3-lp151.5.3.1 libzmq5-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.0 zeromq-devel-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.0 zeromq-tools-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.0 libzmq5-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.1 zeromq-devel-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.1 zeromq-tools-4.2.3-lp151.5.3.1 as a component of openSUSE Leap 15.1 In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. CVE-2019-13132 openSUSE Leap 15.0:libzmq5-4.2.3-lp151.5.3.1 openSUSE Leap 15.0:zeromq-devel-4.2.3-lp151.5.3.1 openSUSE Leap 15.0:zeromq-tools-4.2.3-lp151.5.3.1 openSUSE Leap 15.1:libzmq5-4.2.3-lp151.5.3.1 openSUSE Leap 15.1:zeromq-devel-4.2.3-lp151.5.3.1 openSUSE Leap 15.1:zeromq-tools-4.2.3-lp151.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.html https://www.suse.com/security/cve/CVE-2019-13132.html CVE-2019-13132 https://bugzilla.suse.com/1140255 SUSE Bug 1140255